from IPython.core.display import display, HTML
display(HTML("<style>.container { width:90% !important; }</style>"))
import sys
sys.path.append("../")
from d3tect.model import Datasource, Technique
from d3tect.visualize import Visualize as vis
from d3tect.visualize import Visualize_old as vis_old
print("Datasource | id: rank")
Datasource.print_available_ranks()
print("\nTechnique | id: rank")
Technique.print_available_ranks()
from d3tect.worker import worker
ATTACK_DB = '../stix-data/cti-ATT-CK-v9.0.yaml'
worker1 = worker()
worker1.fname_with_tactis = True # Full name with tactics
worker1.fname_shorten = True # Short full name for prints (Command Script Interface -> CSI)
worker1.read_yml_fill_dicts(ATTACK_DB, merged=False, include_subt=False, filter=None)
worker1.print_general_stats()
worker1_merged_nosubt = worker()
worker1_merged_nosubt.fname_with_tactis = True # Full name with tactics
worker1_merged_nosubt.fname_shorten = False # Short full name for prints (Command Script Interface -> CSI)
worker1_merged_nosubt.read_yml_fill_dicts(ATTACK_DB, merged=True, include_subt=False, filter=None)
worker1_merged_nosubt.print_general_stats()
worker1_merged_subt = worker()
worker1_merged_subt.fname_with_tactis = True # Full name with tactics
worker1_merged_subt.fname_shorten = False # Short full name for prints (Command Script Interface -> CSI)
worker1_merged_subt.read_yml_fill_dicts(ATTACK_DB, merged=True, include_subt=True, filter=None)
worker1_merged_subt.print_general_stats()
Datasource | id: rank 0: rank_no_of_techniques 1: rank_total_no_examples 2: rank_total_no_examples_grp 3: rank_total_no_examples_sw 4: rank_total_no_examples_weighted 5: rank_total_no_tactics 6: rank_max_no_examples_weighted 7: rank_min_no_examples_weighted 8: rank_avg_no_examples_weighted 9: rank_median_no_examples_weighted Technique | id: rank 0: rank_no_examples 1: rank_no_examples_grp 2: rank_no_examples_sw 3: rank_no_examples_weighted 4: rank_no_tactics 5: rank_no_datasources Reading Number of techniques: 552 Number of main-techniques: 185 Number of sub-techniques: 367 Number of datasource: 99 Number of software examples: 493 Number of group examples: 117 Reading Number of techniques: 185 Number of main-techniques: 185 Number of sub-techniques: 0 Number of datasource: 99 Number of software examples: 493 Number of group examples: 117 Reading Number of techniques: 552 Number of main-techniques: 185 Number of sub-techniques: 367 Number of datasource: 99 Number of software examples: 493 Number of group examples: 117
worker1_merged_subt.print_rank_comp(with_val=True, sort_type=3, compared_ranks=range(0,3), comp_rank=True, top=1000)
ID Name R_WEIGH R_TOT R_GRP R_SW T1059 Command and Scripting Interpreter 1: 605.43 1: 339 (0, 0.0) 1: 83 (0, 0.0) 1: 256 (0, 0.0) T1027 Obfuscated Files or Information 2: 478.86 3: 267 (1, -0.2) 2: 66 (0, 0.0) 5: 201 (3, -0.43) T1105 Ingress Tool Transfer 3: 470.76 2: 291 (-1, 0.2) 7: 56 (4, -0.4) 2: 235 (-1, 0.2) T1071 Application Layer Protocol 4: 404.45 4: 260 (0, 0.0) 10: 45 (6, -0.43) 3: 215 (-1, 0.14) T1059.003 Command and Scripting Interpreter: Windows Command Shell 5: 402.92 6: 236 (1, -0.09) 9: 52 (4, -0.29) 7: 184 (2, -0.17) T1071.001 Application Layer Protocol: Web Protocols 6: 366.61 7: 235 (1, -0.08) 15: 41 (9, -0.43) 6: 194 (0, 0.0) T1082 System Information Discovery 7: 362.35 5: 250 (-2, 0.17) 21: 35 (14, -0.5) 4: 215 (-3, 0.27) T1547 Boot or Logon Autostart Execution 8: 337.45 10: 193 (2, -0.11) 11: 45 (3, -0.16) 11: 148 (3, -0.16) T1070 Indicator Removal on Host 9: 328.56 8: 213 (-1, 0.06) 18: 36 (9, -0.33) 8: 177 (-1, 0.06) T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 10: 322.45 13: 178 (3, -0.13) 12: 45 (2, -0.09) 14: 133 (4, -0.17) T1083 File and Directory Discovery 11: 313.14 9: 204 (-2, 0.1) 22: 34 (11, -0.33) 9: 170 (-2, 0.1) T1566 Phishing 12: 300.86 34: 89 (22, -0.48) 3: 66 (-9, 0.6) 93: 23 (81, -0.77) T1204 User Execution 13: 300.02 28: 101 (15, -0.37) 4: 62 (-9, 0.53) 61: 39 (48, -0.65) T1070.004 Indicator Removal on Host: File Deletion 14: 298.56 12: 183 (-2, 0.08) 19: 36 (5, -0.15) 12: 147 (-2, 0.08) T1036 Masquerading 15: 290.45 15: 146 (0, 0.0) 13: 45 (-2, 0.07) 19: 101 (4, -0.12) T1059.001 Command and Scripting Interpreter: PowerShell 16: 286.34 22: 113 (6, -0.16) 8: 54 (-8, 0.33) 39: 59 (23, -0.42) T1204.002 User Execution: Malicious File 17: 279.18 33: 93 (16, -0.32) 5: 58 (-12, 0.55) 66: 35 (49, -0.59) T1057 Process Discovery 18: 277.09 11: 184 (-7, 0.24) 31: 29 (13, -0.27) 10: 155 (-8, 0.29) T1016 System Network Configuration Discovery 19: 270.3 14: 174 (-5, 0.15) 29: 30 (10, -0.21) 13: 144 (-6, 0.19) T1566.001 Phishing: Spearphishing Attachment 20: 257.97 42: 75 (22, -0.35) 6: 57 (-14, 0.54) 104: 18 (84, -0.68) T1053 Scheduled Task/Job 21: 232.77 21: 114 (0, 0.0) 17: 37 (-4, 0.11) 25: 77 (4, -0.09) T1003 OS Credential Dumping 22: 220.03 38: 82 (16, -0.27) 14: 43 (-8, 0.22) 60: 39 (38, -0.46) T1140 Deobfuscate/Decode Files or Information 23: 215.83 16: 142 (-7, 0.18) 38: 23 (15, -0.25) 16: 119 (-7, 0.18) T1033 System Owner/User Discovery 24: 212.25 18: 132 (-6, 0.14) 35: 25 (11, -0.19) 17: 107 (-7, 0.17) T1053.005 Scheduled Task/Job: Scheduled Task 25: 209.14 30: 100 (5, -0.09) 23: 34 (-2, 0.04) 32: 66 (7, -0.12) T1218 Signed Binary Proxy Execution 26: 206.93 27: 101 (1, -0.02) 25: 33 (-1, 0.02) 30: 68 (4, -0.07) T1560 Archive Collected Data 27: 197.51 31: 98 (4, -0.07) 27: 31 (0, 0.0) 31: 67 (4, -0.07) T1573 Encrypted Channel 28: 195.57 17: 141 (-11, 0.24) 61: 17 (33, -0.37) 15: 124 (-13, 0.3) T1056 Input Capture 29: 194.62 19: 124 (-10, 0.21) 42: 22 (13, -0.18) 18: 102 (-11, 0.23) T1036.005 Masquerading: Match Legitimate Name or Location 30: 193.09 29: 100 (-1, 0.02) 30: 29 (0, 0.0) 28: 71 (-2, 0.03) T1059.005 Command and Scripting Interpreter: Visual Basic 31: 186.35 43: 74 (12, -0.16) 20: 35 (-11, 0.22) 58: 39 (27, -0.3) T1055 Process Injection 32: 185.62 20: 115 (-12, 0.23) 44: 22 (12, -0.16) 22: 93 (-10, 0.19) T1056.001 Input Capture: Keylogging 33: 182.62 23: 112 (-10, 0.18) 43: 22 (10, -0.13) 24: 90 (-9, 0.16) T1005 Data from Local System 34: 177.88 36: 88 (2, -0.03) 32: 28 (-2, 0.03) 37: 60 (3, -0.04) T1078 Valid Accounts 35: 176.19 66: 51 (31, -0.31) 16: 39 (-19, 0.37) 143: 12 (108, -0.61) T1021 Remote Services 36: 173.93 52: 68 (16, -0.18) 24: 33 (-12, 0.2) 65: 35 (29, -0.29) T1543 Create or Modify System Process 37: 167.78 25: 110 (-12, 0.19) 54: 18 (17, -0.19) 23: 92 (-14, 0.23) T1113 Screen Capture 38: 152.73 24: 111 (-14, 0.23) 82: 13 (44, -0.37) 20: 98 (-18, 0.31) T1112 Modify Registry 39: 151.78 32: 94 (-7, 0.1) 56: 18 (17, -0.18) 26: 76 (-13, 0.2) T1003.001 OS Credential Dumping: LSASS Memory 40: 149.51 67: 50 (27, -0.25) 28: 31 (-12, 0.18) 103: 19 (63, -0.44) T1518 Software Discovery 41: 148.99 37: 88 (-4, 0.05) 52: 19 (11, -0.12) 29: 69 (-12, 0.17) T1555 Credentials from Password Stores 42: 147.83 44: 74 (2, -0.02) 36: 23 (-6, 0.08) 43: 51 (1, -0.01) T1566.002 Phishing: Spearphishing Link 43: 147.72 72: 45 (29, -0.25) 26: 32 (-17, 0.25) 136: 13 (93, -0.52) T1543.003 Create or Modify System Process: Windows Service 44: 142.57 35: 88 (-9, 0.11) 59: 17 (15, -0.15) 27: 71 (-17, 0.24) T1102 Web Service 45: 141.83 53: 68 (8, -0.08) 40: 23 (-5, 0.06) 48: 45 (3, -0.03) T1573.001 Encrypted Channel: Symmetric Cryptography 46: 141.31 26: 106 (-20, 0.28) 91: 11 (45, -0.33) 21: 95 (-25, 0.37) T1074 Data Staged 47: 140.83 54: 67 (7, -0.07) 37: 23 (-10, 0.12) 50: 44 (3, -0.03) T1090 Proxy 48: 137.41 49: 70 (1, -0.01) 49: 21 (1, -0.01) 44: 49 (-4, 0.04) T1047 Windows Management Instrumentation 49: 136.41 50: 69 (1, -0.01) 50: 21 (1, -0.01) 46: 48 (-3, 0.03) T1087 Account Discovery 50: 135.41 51: 68 (1, -0.01) 46: 21 (-4, 0.04) 47: 47 (-3, 0.03) T1041 Exfiltration Over C2 Channel 51: 132.57 39: 78 (-12, 0.13) 63: 17 (12, -0.11) 35: 61 (-16, 0.19) T1204.001 User Execution: Malicious Link 52: 131.88 80: 42 (28, -0.21) 34: 28 (-18, 0.21) 129: 14 (77, -0.43) T1203 Exploitation for Client Execution 53: 128.88 84: 39 (31, -0.23) 33: 28 (-20, 0.23) 147: 11 (94, -0.47) T1574 Hijack Execution Flow 54: 127.41 59: 60 (5, -0.04) 48: 21 (-6, 0.06) 59: 39 (5, -0.04) T1018 Remote System Discovery 55: 126.83 63: 53 (8, -0.07) 39: 23 (-16, 0.17) 74: 30 (19, -0.15) T1562 Impair Defenses 56: 125.57 48: 71 (-8, 0.08) 65: 17 (9, -0.07) 42: 54 (-14, 0.14) T1518.001 Software Discovery: Security Software Discovery 57: 124.15 40: 76 (-17, 0.18) 75: 15 (18, -0.14) 36: 61 (-21, 0.23) T1049 System Network Connections Discovery 58: 123.99 56: 63 (-2, 0.02) 53: 19 (-5, 0.05) 52: 44 (-6, 0.05) T1564 Hide Artifacts 59: 123.36 46: 72 (-13, 0.12) 67: 16 (8, -0.06) 41: 56 (-18, 0.18) T1074.001 Data Staged: Local Data Staging 60: 119.78 57: 62 (-3, 0.03) 55: 18 (-5, 0.04) 51: 44 (-9, 0.08) T1553 Subvert Trust Controls 61: 116.2 64: 52 (3, -0.02) 51: 20 (-10, 0.09) 71: 32 (10, -0.08) T1555.003 Credentials from Password Stores: Credentials from Web Browsers 62: 115.57 58: 61 (-4, 0.03) 60: 17 (-2, 0.02) 49: 44 (-13, 0.12) T1012 Query Registry 63: 110.52 47: 72 (-16, 0.15) 84: 12 (21, -0.14) 38: 60 (-25, 0.25) T1106 Native API 64: 110.31 41: 75 (-23, 0.22) 94: 11 (30, -0.19) 34: 64 (-30, 0.31) T1560.001 Archive Collected Data: Archive via Utility 65: 109.62 83: 39 (18, -0.12) 41: 22 (-24, 0.23) 107: 17 (42, -0.24) T1021.001 Remote Services: Remote Desktop Protocol 66: 107.62 88: 37 (22, -0.14) 45: 22 (-21, 0.19) 120: 15 (54, -0.29) T1218.011 Signed Binary Proxy Execution: Rundll32 67: 106.15 60: 58 (-7, 0.06) 74: 15 (7, -0.05) 53: 43 (-14, 0.12) T1132 Data Encoding 68: 106.1 45: 74 (-23, 0.2) 100: 10 (32, -0.19) 33: 64 (-35, 0.35) T1553.002 Subvert Trust Controls: Code Signing 69: 101.78 76: 44 (7, -0.05) 57: 18 (-12, 0.1) 82: 26 (13, -0.09) T1027.002 Obfuscated Files or Information: Software Packing 70: 99.94 62: 55 (-8, 0.06) 79: 14 (9, -0.06) 55: 41 (-15, 0.12) T1132.001 Data Encoding: Standard Encoding 71: 98.1 55: 66 (-16, 0.13) 101: 10 (30, -0.17) 40: 56 (-31, 0.28) T1562.001 Impair Defenses: Disable or Modify Tools 72: 96.73 61: 55 (-11, 0.08) 80: 13 (8, -0.05) 54: 42 (-18, 0.14) T1546 Event Triggered Execution 73: 95.57 81: 41 (8, -0.05) 62: 17 (-11, 0.08) 88: 24 (15, -0.09) T1189 Drive-by Compromise 74: 94.41 109: 27 (35, -0.19) 47: 21 (-27, 0.22) 189: 6 (115, -0.44) T1119 Automated Collection 75: 91.15 77: 43 (2, -0.01) 73: 15 (-2, 0.01) 77: 28 (2, -0.01) T1046 Network Service Scanning 76: 89.36 85: 38 (9, -0.06) 69: 16 (-7, 0.05) 95: 22 (19, -0.11) T1036.004 Masquerading: Masquerade Task or Service 77: 86.73 71: 45 (-6, 0.04) 81: 13 (4, -0.03) 70: 32 (-7, 0.05) T1574.002 Hijack Execution Flow: DLL Side-Loading 78: 86.36 93: 35 (15, -0.09) 68: 16 (-10, 0.07) 100: 19 (22, -0.12) T1110 Brute Force 79: 84.36 96: 33 (17, -0.1) 66: 16 (-13, 0.09) 108: 17 (29, -0.16) T1021.002 Remote Services: SMB/Windows Admin Shares 80: 84.36 97: 33 (17, -0.1) 70: 16 (-10, 0.07) 111: 17 (31, -0.16) T1124 System Time Discovery 81: 82.1 68: 50 (-13, 0.09) 105: 10 (24, -0.13) 57: 40 (-24, 0.17) T1087.001 Account Discovery: Local Account 82: 80.31 70: 45 (-12, 0.08) 88: 11 (6, -0.04) 67: 34 (-15, 0.1) T1569 System Services 83: 80.31 74: 45 (-9, 0.06) 98: 11 (15, -0.08) 68: 34 (-15, 0.1) T1569.002 System Services: Service Execution 84: 78.31 78: 43 (-6, 0.04) 99: 11 (15, -0.08) 72: 32 (-12, 0.08) T1133 External Remote Services 85: 75.57 132: 21 (47, -0.22) 64: 17 (-21, 0.14) 223: 4 (138, -0.45) T1102.002 Web Service: Bidirectional Communication 86: 75.52 89: 37 (3, -0.02) 87: 12 (1, -0.01) 84: 25 (-2, 0.01) T1087.002 Account Discovery: Domain Account 87: 74.94 100: 30 (13, -0.07) 76: 14 (-11, 0.07) 112: 16 (25, -0.13) T1552 Unsecured Credentials 88: 74.52 90: 36 (2, -0.01) 86: 12 (-2, 0.01) 89: 24 (1, -0.01) T1505 Server Software Component 89: 74.36 123: 23 (34, -0.16) 71: 16 (-18, 0.11) 179: 7 (90, -0.34) T1007 System Service Discovery 90: 73.89 73: 45 (-17, 0.1) 116: 9 (26, -0.13) 64: 36 (-26, 0.17) T1505.003 Server Software Component: Web Shell 91: 73.36 129: 22 (38, -0.17) 72: 16 (-19, 0.12) 195: 6 (104, -0.36) T1069 Permission Groups Discovery 92: 73.31 86: 38 (-6, 0.03) 97: 11 (5, -0.03) 79: 27 (-13, 0.08) T1583 Acquire Infrastructure 93: 71.57 146: 17 (53, -0.22) 58: 17 (-35, 0.23) 370: 0 (277, -0.6) T1059.007 Command and Scripting Interpreter: JavaScript 94: 69.94 113: 25 (19, -0.09) 77: 14 (-17, 0.1) 145: 11 (51, -0.21) T1548 Abuse Elevation Control Mechanism 95: 67.89 82: 39 (-13, 0.07) 106: 9 (11, -0.05) 73: 30 (-22, 0.13) T1135 Network Share Discovery 96: 65.31 103: 30 (7, -0.04) 95: 11 (-1, 0.01) 101: 19 (5, -0.03) T1571 Non-Standard Port 97: 65.31 104: 30 (7, -0.03) 96: 11 (-1, 0.01) 102: 19 (5, -0.03) T1573.002 Encrypted Channel: Asymmetric Cryptography 98: 65.26 69: 46 (-29, 0.17) 148: 6 (50, -0.2) 56: 40 (-42, 0.27) T1497 Virtualization/Sandbox Evasion 99: 64.84 65: 52 (-34, 0.21) 200: 4 (101, -0.34) 45: 48 (-54, 0.38) T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 100: 63.89 91: 35 (-9, 0.05) 107: 9 (7, -0.03) 80: 26 (-20, 0.11) T1114 Email Collection 101: 63.52 116: 25 (15, -0.07) 83: 12 (-18, 0.1) 134: 13 (33, -0.14) T1059.006 Command and Scripting Interpreter: Python 102: 63.31 106: 28 (4, -0.02) 90: 11 (-12, 0.06) 109: 17 (7, -0.03) T1055.001 Process Injection: Dynamic-link Library Injection 103: 63.26 75: 44 (-28, 0.16) 159: 6 (56, -0.21) 62: 38 (-41, 0.25) T1190 Exploit Public-Facing Application 104: 61.94 147: 17 (43, -0.17) 78: 14 (-26, 0.14) 246: 3 (142, -0.41) T1071.004 Application Layer Protocol: DNS 105: 61.89 95: 33 (-10, 0.05) 108: 9 (3, -0.01) 85: 24 (-20, 0.11) T1095 Non-Application Layer Protocol 106: 61.26 79: 42 (-27, 0.15) 156: 6 (50, -0.19) 63: 36 (-43, 0.25) T1070.006 Indicator Removal on Host: Timestomp 107: 59.68 94: 34 (-13, 0.06) 123: 8 (16, -0.07) 81: 26 (-26, 0.14) T1559 Inter-Process Communication 108: 58.31 122: 23 (14, -0.06) 93: 11 (-15, 0.07) 138: 12 (30, -0.12) T1219 Remote Access Software 109: 56.52 144: 18 (35, -0.14) 85: 12 (-24, 0.12) 194: 6 (85, -0.28) T1068 Exploitation for Privilege Escalation 110: 56.31 131: 21 (21, -0.09) 92: 11 (-18, 0.09) 153: 10 (43, -0.16) T1564.003 Hide Artifacts: Hidden Window 111: 56.1 119: 24 (8, -0.03) 103: 10 (-8, 0.04) 125: 14 (14, -0.06) T1564.001 Hide Artifacts: Hidden Files and Directories 112: 54.26 92: 35 (-20, 0.1) 153: 6 (41, -0.15) 76: 29 (-36, 0.19) T1048 Exfiltration Over Alternative Protocol 113: 53.89 117: 25 (4, -0.02) 110: 9 (-3, 0.01) 114: 16 (1, -0.0) T1547.009 Boot or Logon Autostart Execution: Shortcut Modification 114: 53.47 99: 31 (-15, 0.07) 132: 7 (18, -0.07) 86: 24 (-28, 0.14) T1027.001 Obfuscated Files or Information: Binary Padding 115: 50.68 118: 25 (3, -0.01) 126: 8 (11, -0.05) 110: 17 (-5, 0.02) T1559.002 Inter-Process Communication: Dynamic Data Exchange 116: 50.1 143: 18 (27, -0.1) 104: 10 (-12, 0.05) 169: 8 (53, -0.19) T1218.010 Signed Binary Proxy Execution: Regsvr32 117: 49.89 134: 21 (17, -0.07) 115: 9 (-2, 0.01) 142: 12 (25, -0.1) T1008 Fallback Channels 118: 49.84 87: 37 (-31, 0.15) 188: 4 (70, -0.23) 69: 33 (-49, 0.26) T1552.001 Unsecured Credentials: Credentials In Files 119: 49.68 120: 24 (1, -0.0) 130: 8 (11, -0.04) 117: 16 (-2, 0.01) T1001 Data Obfuscation 120: 49.26 102: 30 (-18, 0.08) 144: 6 (24, -0.09) 87: 24 (-33, 0.16) T1070.001 Indicator Removal on Host: Clear Windows Event Logs 121: 48.89 135: 20 (14, -0.05) 112: 9 (-9, 0.04) 148: 11 (27, -0.1) T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 122: 47.68 125: 22 (3, -0.01) 122: 8 (0, 0.0) 124: 14 (2, -0.01) T1120 Peripheral Device Discovery 123: 47.26 107: 28 (-16, 0.07) 158: 6 (35, -0.12) 96: 22 (-27, 0.12) T1550 Use Alternate Authentication Material 124: 46.89 145: 18 (21, -0.08) 117: 9 (-7, 0.03) 165: 9 (41, -0.14) T1136 Create Account 125: 46.68 130: 21 (5, -0.02) 120: 8 (-5, 0.02) 132: 13 (7, -0.03) T1583.001 Acquire Infrastructure: Domains 126: 46.31 181: 11 (55, -0.18) 89: 11 (-37, 0.17) 373: 0 (247, -0.49) T1218.005 Signed Binary Proxy Execution: Mshta 127: 45.89 150: 17 (23, -0.08) 114: 9 (-13, 0.05) 173: 8 (46, -0.15) T1562.004 Impair Defenses: Disable or Modify System Firewall 128: 45.47 121: 23 (-7, 0.03) 135: 7 (7, -0.03) 116: 16 (-12, 0.05) T1568 Dynamic Resolution 129: 45.26 111: 26 (-18, 0.07) 147: 6 (18, -0.07) 99: 20 (-30, 0.13) T1134 Access Token Manipulation 130: 44.05 105: 28 (-25, 0.11) 162: 5 (32, -0.11) 91: 23 (-39, 0.18) T1003.002 OS Credential Dumping: Security Account Manager 131: 43.47 133: 21 (2, -0.01) 137: 7 (6, -0.02) 126: 14 (-5, 0.02) T1560.003 Archive Collected Data: Archive via Custom Method 132: 43.05 108: 27 (-24, 0.1) 165: 5 (33, -0.11) 94: 22 (-38, 0.17) T1090.002 Proxy: External Proxy 133: 42.89 164: 14 (31, -0.1) 113: 9 (-20, 0.08) 211: 5 (78, -0.23) T1497.001 Virtualization/Sandbox Evasion: System Checks 134: 42.63 98: 33 (-36, 0.16) 228: 3 (94, -0.26) 75: 30 (-59, 0.28) T1570 Lateral Tool Transfer 135: 42.47 136: 20 (1, -0.0) 136: 7 (1, -0.0) 135: 13 (0, 0.0) T1587 Develop Capabilities 136: 42.1 191: 10 (55, -0.17) 102: 10 (-34, 0.14) 412: 0 (276, -0.5) T1114.002 Email Collection: Remote Email Collection 137: 41.89 168: 13 (31, -0.1) 109: 9 (-28, 0.11) 221: 4 (84, -0.23) T1027.005 Obfuscated Files or Information: Indicator Removal from Tools 138: 41.68 152: 16 (14, -0.05) 127: 8 (-11, 0.04) 170: 8 (32, -0.1) T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 139: 41.26 126: 22 (-13, 0.05) 154: 6 (15, -0.05) 115: 16 (-24, 0.09) T1078.002 Valid Accounts: Domain Accounts 140: 40.89 178: 12 (38, -0.12) 118: 9 (-22, 0.09) 262: 3 (122, -0.3) T1003.004 OS Credential Dumping: LSA Secrets 141: 40.68 160: 15 (19, -0.06) 124: 8 (-17, 0.06) 178: 7 (37, -0.12) T1115 Clipboard Data 142: 39.63 101: 30 (-41, 0.17) 205: 3 (63, -0.18) 78: 27 (-64, 0.29) T1136.001 Create Account: Local Account 143: 38.26 138: 19 (-5, 0.02) 143: 6 (0, 0.0) 133: 13 (-10, 0.04) T1589 Gather Victim Identity Information 144: 37.89 201: 9 (57, -0.17) 111: 9 (-33, 0.13) 446: 0 (302, -0.51) T1486 Data Encrypted for Impact 145: 37.84 115: 25 (-30, 0.12) 183: 4 (38, -0.12) 98: 21 (-47, 0.19) T1003.003 OS Credential Dumping: NTDS 146: 37.68 175: 12 (29, -0.09) 125: 8 (-21, 0.08) 227: 4 (81, -0.22) T1078.003 Valid Accounts: Local Accounts 147: 37.68 179: 12 (32, -0.1) 131: 8 (-16, 0.06) 232: 4 (85, -0.22) T1021.004 Remote Services: SSH 148: 36.68 185: 11 (37, -0.11) 129: 8 (-19, 0.07) 254: 3 (106, -0.26) T1550.002 Use Alternate Authentication Material: Pass the Hash 149: 36.47 166: 14 (17, -0.05) 141: 7 (-8, 0.03) 181: 7 (32, -0.1) T1071.003 Application Layer Protocol: Mail Protocols 150: 35.05 137: 19 (-13, 0.05) 164: 5 (14, -0.04) 122: 14 (-28, 0.1) T1069.002 Permission Groups Discovery: Domain Groups 151: 35.05 140: 19 (-11, 0.04) 171: 5 (20, -0.06) 127: 14 (-24, 0.09) T1069.001 Permission Groups Discovery: Local Groups 152: 35.05 141: 19 (-11, 0.04) 172: 5 (20, -0.06) 128: 14 (-24, 0.09) T1055.012 Process Injection: Process Hollowing 153: 34.84 127: 22 (-26, 0.09) 193: 4 (40, -0.12) 105: 18 (-48, 0.19) T1014 Rootkit 154: 34.84 128: 22 (-26, 0.09) 197: 4 (43, -0.12) 106: 18 (-48, 0.18) T1588 Obtain Capabilities 155: 34.68 203: 9 (48, -0.13) 128: 8 (-27, 0.1) 341: 1 (186, -0.38) T1040 Network Sniffing 156: 34.26 159: 15 (3, -0.01) 155: 6 (-1, 0.0) 162: 9 (6, -0.02) T1020 Automated Exfiltration 157: 34.05 142: 18 (-15, 0.05) 166: 5 (9, -0.03) 131: 13 (-26, 0.09) T1583.006 Acquire Infrastructure: Web Services 158: 33.68 211: 8 (53, -0.14) 119: 8 (-39, 0.14) 376: 0 (218, -0.41) T1585 Establish Accounts 159: 33.68 215: 8 (56, -0.15) 121: 8 (-38, 0.14) 425: 0 (266, -0.46) T1027.003 Obfuscated Files or Information: Steganography 160: 33.05 148: 17 (-12, 0.04) 170: 5 (10, -0.03) 139: 12 (-21, 0.07) T1125 Video Capture 161: 32.42 112: 26 (-49, 0.18) 284: 2 (123, -0.28) 90: 24 (-71, 0.28) T1090.001 Proxy: Internal Proxy 162: 32.05 153: 16 (-9, 0.03) 175: 5 (13, -0.04) 149: 11 (-13, 0.04) T1218.007 Signed Binary Proxy Execution: Msiexec 163: 32.05 155: 16 (-8, 0.03) 178: 5 (15, -0.04) 151: 11 (-12, 0.04) T1059.004 Command and Scripting Interpreter: Unix Shell 164: 31.42 114: 25 (-50, 0.18) 238: 2 (74, -0.18) 92: 23 (-72, 0.28) T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription 165: 31.26 173: 12 (8, -0.02) 150: 6 (-15, 0.05) 191: 6 (26, -0.07) T1102.001 Web Service: Dead Drop Resolver 166: 31.05 161: 15 (-5, 0.02) 179: 5 (13, -0.04) 155: 10 (-11, 0.03) T1598 Phishing for Information 167: 30.47 223: 8 (56, -0.14) 138: 7 (-29, 0.1) 346: 1 (179, -0.35) T1567 Exfiltration Over Web Service 168: 30.26 183: 11 (15, -0.04) 151: 6 (-17, 0.05) 202: 5 (34, -0.09) T1210 Exploitation of Remote Services 169: 30.05 163: 14 (-6, 0.02) 169: 5 (0, 0.0) 159: 9 (-10, 0.03) T1090.003 Proxy: Multi-hop Proxy 170: 30.05 165: 14 (-5, 0.01) 176: 5 (6, -0.02) 163: 9 (-7, 0.02) T1074.002 Data Staged: Remote Data Staging 171: 29.47 227: 7 (56, -0.14) 133: 7 (-38, 0.12) 403: 0 (232, -0.4) T1587.001 Develop Capabilities: Malware 172: 29.47 229: 7 (57, -0.14) 134: 7 (-38, 0.12) 416: 0 (244, -0.41) T1566.003 Phishing: Spearphishing via Service 173: 29.47 236: 7 (63, -0.15) 139: 7 (-34, 0.11) 497: 0 (324, -0.48) T1221 Template Injection 174: 29.47 238: 7 (64, -0.16) 140: 7 (-34, 0.11) 540: 0 (366, -0.51) T1039 Data from Network Shared Drive 175: 29.26 190: 10 (15, -0.04) 146: 6 (-29, 0.09) 219: 4 (44, -0.11) T1123 Audio Capture 176: 29.21 110: 26 (-66, 0.23) 290: 1 (114, -0.24) 83: 25 (-93, 0.36) T1091 Replication Through Removable Media 177: 28.84 154: 16 (-23, 0.07) 195: 4 (18, -0.05) 140: 12 (-37, 0.12) T1025 Data from Removable Media 178: 28.63 139: 19 (-39, 0.12) 210: 3 (32, -0.08) 113: 16 (-65, 0.22) T1110.003 Brute Force: Password Spraying 179: 28.26 198: 9 (19, -0.05) 142: 6 (-37, 0.12) 237: 3 (58, -0.14) T1137 Office Application Startup 180: 28.26 204: 9 (24, -0.06) 157: 6 (-23, 0.07) 251: 3 (71, -0.16) T1195 Supply Chain Compromise 181: 28.26 206: 9 (25, -0.06) 160: 6 (-21, 0.06) 258: 3 (77, -0.18) T1195.002 Supply Chain Compromise: Compromise Software Supply Chain 182: 28.26 207: 9 (25, -0.06) 161: 6 (-21, 0.06) 259: 3 (77, -0.17) T1071.002 Application Layer Protocol: File Transfer Protocols 183: 27.84 156: 15 (-27, 0.08) 180: 4 (-3, 0.01) 144: 11 (-39, 0.12) T1213 Data from Information Repositories 184: 27.26 213: 8 (29, -0.07) 145: 6 (-39, 0.12) 275: 2 (91, -0.2) T1546.008 Event Triggered Execution: Accessibility Features 185: 26.26 231: 7 (46, -0.11) 149: 6 (-36, 0.11) 317: 1 (132, -0.26) T1589.002 Gather Victim Identity Information: Email Addresses 186: 25.26 247: 6 (61, -0.14) 152: 6 (-34, 0.1) 448: 0 (262, -0.41) T1010 Application Window Discovery 187: 25.21 124: 22 (-63, 0.2) 289: 1 (102, -0.21) 97: 21 (-90, 0.32) T1098 Account Manipulation 188: 25.05 195: 9 (7, -0.02) 163: 5 (-25, 0.07) 213: 4 (25, -0.06) T1572 Protocol Tunneling 189: 25.05 205: 9 (16, -0.04) 174: 5 (-15, 0.04) 228: 4 (39, -0.09) T1542 Pre-OS Boot 190: 24.84 176: 12 (-14, 0.04) 192: 4 (2, -0.01) 171: 8 (-19, 0.05) T1496 Resource Hijacking 191: 24.84 177: 12 (-14, 0.04) 196: 4 (5, -0.01) 172: 8 (-19, 0.05) T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage 192: 24.05 216: 8 (24, -0.06) 168: 5 (-24, 0.07) 245: 3 (53, -0.12) T1485 Data Destruction 193: 23.63 162: 14 (-31, 0.09) 208: 3 (15, -0.04) 146: 11 (-47, 0.14) T1489 Service Stop 194: 23.42 149: 17 (-45, 0.13) 277: 2 (83, -0.18) 121: 15 (-73, 0.23) T1197 BITS Jobs 195: 22.84 188: 10 (-7, 0.02) 181: 4 (-14, 0.04) 183: 6 (-12, 0.03) T1568.002 Dynamic Resolution: Domain Generation Algorithms 196: 22.42 151: 16 (-45, 0.13) 253: 2 (57, -0.13) 123: 14 (-73, 0.23) T1218.001 Signed Binary Proxy Execution: Compiled HTML File 197: 22.05 252: 6 (55, -0.12) 177: 5 (-20, 0.05) 355: 1 (158, -0.29) T1114.001 Email Collection: Local Email Collection 198: 21.63 172: 12 (-26, 0.07) 211: 3 (13, -0.03) 158: 9 (-40, 0.11) T1222 File and Directory Permissions Modification 199: 21.63 174: 12 (-25, 0.07) 212: 3 (13, -0.03) 160: 9 (-39, 0.11) T1584 Compromise Infrastructure 200: 21.05 258: 5 (58, -0.13) 167: 5 (-33, 0.09) 394: 0 (194, -0.33) T1598.003 Phishing for Information: Spearphishing Link 201: 21.05 264: 5 (63, -0.14) 173: 5 (-28, 0.07) 495: 0 (294, -0.42) T1561 Disk Wipe 202: 20.84 214: 8 (12, -0.03) 184: 4 (-18, 0.05) 220: 4 (18, -0.04) T1003.005 OS Credential Dumping: Cached Domain Credentials 203: 20.84 221: 8 (18, -0.04) 190: 4 (-13, 0.03) 226: 4 (23, -0.05) T1558 Steal or Forge Kerberos Tickets 204: 20.84 225: 8 (21, -0.05) 198: 4 (-6, 0.01) 230: 4 (26, -0.06) T1561.002 Disk Wipe: Disk Structure Wipe 205: 19.84 230: 7 (25, -0.06) 185: 4 (-20, 0.05) 242: 3 (37, -0.08) T1037 Boot or Logon Initialization Scripts 206: 19.63 189: 10 (-17, 0.04) 204: 3 (-2, 0.0) 174: 7 (-32, 0.08) T1552.004 Unsecured Credentials: Private Keys 207: 19.63 193: 10 (-14, 0.04) 226: 3 (19, -0.04) 180: 7 (-27, 0.07) T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL 208: 18.63 196: 9 (-12, 0.03) 203: 3 (-5, 0.01) 184: 6 (-24, 0.06) T1555.004 Credentials from Password Stores: Windows Credential Manager 209: 18.63 199: 9 (-10, 0.02) 207: 3 (-2, 0.0) 186: 6 (-23, 0.06) T1529 System Shutdown/Reboot 210: 18.63 208: 9 (-2, 0.0) 224: 3 (14, -0.03) 196: 6 (-14, 0.03) T1080 Taint Shared Content 211: 18.63 209: 9 (-2, 0.0) 225: 3 (14, -0.03) 197: 6 (-14, 0.03) T1001.003 Data Obfuscation: Protocol Impersonation 212: 18.42 171: 12 (-41, 0.11) 246: 2 (34, -0.07) 152: 10 (-60, 0.16) T1110.002 Brute Force: Password Cracking 213: 17.84 257: 5 (44, -0.09) 182: 4 (-31, 0.08) 312: 1 (99, -0.19) T1021.006 Remote Services: Windows Remote Management 214: 17.84 266: 5 (52, -0.11) 194: 4 (-20, 0.05) 352: 1 (138, -0.24) T1557 Man-in-the-Middle 215: 17.63 218: 8 (3, -0.01) 214: 3 (-1, 0.0) 205: 5 (-10, 0.02) T1104 Multi-Stage Channels 216: 17.63 220: 8 (4, -0.01) 216: 3 (0, 0.0) 207: 5 (-9, 0.02) T1201 Password Policy Discovery 217: 17.63 222: 8 (5, -0.01) 218: 3 (1, -0.0) 208: 5 (-9, 0.02) T1542.003 Pre-OS Boot: Bootkit 218: 17.63 224: 8 (6, -0.01) 219: 3 (1, -0.0) 209: 5 (-9, 0.02) T1134.002 Access Token Manipulation: Create Process with Token 219: 17.42 180: 11 (-39, 0.1) 229: 2 (10, -0.02) 156: 9 (-63, 0.17) T1482 Domain Trust Discovery 220: 17.42 182: 11 (-38, 0.09) 252: 2 (32, -0.07) 157: 9 (-63, 0.17) T1585.002 Establish Accounts: Email Accounts 221: 16.84 278: 4 (57, -0.11) 186: 4 (-35, 0.09) 426: 0 (205, -0.32) T1585.001 Establish Accounts: Social Media Accounts 222: 16.84 279: 4 (57, -0.11) 187: 4 (-35, 0.09) 427: 0 (205, -0.32) T1036.002 Masquerading: Right-to-Left Override 223: 16.84 284: 4 (61, -0.12) 189: 4 (-34, 0.08) 476: 0 (253, -0.36) T1588.002 Obtain Capabilities: Tool 224: 16.84 285: 4 (61, -0.12) 191: 4 (-33, 0.08) 490: 0 (266, -0.37) T1199 Trusted Relationship 225: 16.84 290: 4 (65, -0.13) 199: 4 (-26, 0.06) 543: 0 (318, -0.41) T1560.002 Archive Collected Data: Archive via Library 226: 16.42 187: 10 (-39, 0.09) 234: 2 (8, -0.02) 167: 8 (-59, 0.15) T1564.004 Hide Artifacts: NTFS File Attributes 227: 16.21 169: 13 (-58, 0.15) 330: 1 (103, -0.18) 137: 12 (-90, 0.25) T1029 Scheduled Transfer 228: 16.21 170: 13 (-58, 0.15) 354: 1 (126, -0.22) 141: 12 (-87, 0.24) T1053.002 Scheduled Task/Job: At (Windows) 229: 15.63 251: 6 (22, -0.05) 220: 3 (-9, 0.02) 256: 3 (27, -0.06) T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 230: 15.63 253: 6 (23, -0.05) 223: 3 (-7, 0.02) 257: 3 (27, -0.06) T1550.003 Use Alternate Authentication Material: Pass the Ticket 231: 15.63 255: 6 (24, -0.05) 227: 3 (-4, 0.01) 261: 3 (30, -0.06) T1001.002 Data Obfuscation: Steganography 232: 15.42 200: 9 (-32, 0.07) 247: 2 (15, -0.03) 176: 7 (-56, 0.14) T1543.001 Create or Modify System Process: Launch Agent 233: 15.0 157: 15 (-76, 0.19) 417: 0 (184, -0.28) 118: 15 (-115, 0.33) T1490 Inhibit System Recovery 234: 15.0 158: 15 (-76, 0.19) 471: 0 (237, -0.34) 119: 15 (-115, 0.33) T1027.004 Obfuscated Files or Information: Compile After Delivery 235: 14.63 263: 5 (28, -0.06) 217: 3 (-18, 0.04) 290: 2 (55, -0.1) T1087.003 Account Discovery: Email Account 236: 14.42 210: 8 (-26, 0.06) 230: 2 (-6, 0.01) 182: 6 (-54, 0.13) T1556 Modify Authentication Process 237: 14.42 219: 8 (-18, 0.04) 270: 2 (33, -0.07) 192: 6 (-45, 0.1) T1056.004 Input Capture: Credential API Hooking 238: 14.21 184: 11 (-54, 0.13) 335: 1 (97, -0.17) 154: 10 (-84, 0.21) T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion 239: 14.0 167: 14 (-72, 0.18) 549: 0 (310, -0.39) 130: 14 (-109, 0.3) T1213.002 Data from Information Repositories: Sharepoint 240: 13.63 274: 4 (34, -0.07) 209: 3 (-31, 0.07) 316: 1 (76, -0.14) T1036.003 Masquerading: Rename System Utilities 241: 13.63 283: 4 (42, -0.08) 215: 3 (-26, 0.06) 331: 1 (90, -0.16) T1072 Software Deployment Tools 242: 13.63 286: 4 (44, -0.08) 221: 3 (-21, 0.05) 358: 1 (116, -0.19) T1217 Browser Bookmark Discovery 243: 13.42 226: 7 (-17, 0.04) 236: 2 (-7, 0.01) 199: 5 (-44, 0.1) T1052 Exfiltration Over Physical Medium 244: 13.42 233: 7 (-11, 0.02) 258: 2 (14, -0.03) 200: 5 (-44, 0.1) T1052.001 Exfiltration Over Physical Medium: Exfiltration over USB 245: 13.42 234: 7 (-11, 0.02) 259: 2 (14, -0.03) 201: 5 (-44, 0.1) T1559.001 Inter-Process Communication: Component Object Model 246: 13.42 235: 7 (-11, 0.02) 268: 2 (22, -0.04) 204: 5 (-42, 0.09) T1055.002 Process Injection: Portable Executable Injection 247: 13.42 237: 7 (-10, 0.02) 274: 2 (27, -0.05) 210: 5 (-37, 0.08) T1053.003 Scheduled Task/Job: Cron 248: 13.21 192: 10 (-56, 0.13) 353: 1 (105, -0.17) 164: 9 (-84, 0.2) T1595 Active Scanning 249: 12.63 292: 3 (43, -0.08) 201: 3 (-48, 0.11) 377: 0 (128, -0.2) T1595.002 Active Scanning: Vulnerability Scanning 250: 12.63 293: 3 (43, -0.08) 202: 3 (-48, 0.11) 379: 0 (129, -0.21) T1584.004 Compromise Infrastructure: Server 251: 12.63 297: 3 (46, -0.08) 206: 3 (-45, 0.1) 398: 0 (147, -0.23) T1589.001 Gather Victim Identity Information: Credentials 252: 12.63 303: 3 (51, -0.09) 213: 3 (-39, 0.08) 447: 0 (195, -0.28) T1608 Stage Capabilities 253: 12.63 310: 3 (57, -0.1) 222: 3 (-31, 0.07) 528: 0 (275, -0.35) T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) 254: 12.42 240: 6 (-14, 0.03) 235: 2 (-19, 0.04) 214: 4 (-40, 0.09) T1565 Data Manipulation 255: 12.42 243: 6 (-12, 0.02) 244: 2 (-11, 0.02) 218: 4 (-37, 0.08) T1480 Execution Guardrails 256: 12.42 244: 6 (-12, 0.02) 256: 2 (0, 0.0) 222: 4 (-34, 0.07) T1222.002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification 257: 12.42 245: 6 (-12, 0.02) 260: 2 (3, -0.01) 224: 4 (-33, 0.07) T1036.001 Masquerading: Invalid Code Signature 258: 12.42 249: 6 (-9, 0.02) 269: 2 (11, -0.02) 225: 4 (-33, 0.07) T1134.001 Access Token Manipulation: Token Impersonation/Theft 259: 12.21 194: 9 (-65, 0.14) 287: 1 (28, -0.05) 166: 8 (-93, 0.22) T1110.001 Brute Force: Password Guessing 260: 12.21 197: 9 (-63, 0.14) 293: 1 (33, -0.06) 168: 8 (-92, 0.21) T1176 Browser Extensions 261: 11.42 256: 5 (-5, 0.01) 237: 2 (-24, 0.05) 236: 3 (-25, 0.05) T1136.002 Create Account: Domain Account 262: 11.42 259: 5 (-3, 0.01) 242: 2 (-20, 0.04) 239: 3 (-23, 0.05) T1564.005 Hide Artifacts: Hidden File System 263: 11.42 261: 5 (-2, 0.0) 265: 2 (2, -0.0) 247: 3 (-16, 0.03) T1574.006 Hijack Execution Flow: Dynamic Linker Hijacking 264: 11.42 262: 5 (-2, 0.0) 266: 2 (2, -0.0) 249: 3 (-15, 0.03) T1021.005 Remote Services: VNC 265: 11.42 265: 5 (0, 0.0) 275: 2 (10, -0.02) 255: 3 (-10, 0.02) T1001.001 Data Obfuscation: Junk Data 266: 11.21 212: 8 (-54, 0.11) 300: 1 (34, -0.06) 175: 7 (-91, 0.21) T1056.002 Input Capture: GUI Input Capture 267: 11.21 217: 8 (-50, 0.1) 336: 1 (69, -0.11) 177: 7 (-90, 0.2) T1129 Shared Modules 268: 11.0 186: 11 (-82, 0.18) 528: 0 (260, -0.33) 150: 11 (-118, 0.28) T1555.005 Credentials from Password Stores: Password Managers 269: 10.42 272: 4 (3, -0.01) 243: 2 (-26, 0.05) 274: 2 (5, -0.01) T1484 Domain Policy Modification 270: 10.42 276: 4 (6, -0.01) 251: 2 (-19, 0.04) 277: 2 (7, -0.01) T1568.001 Dynamic Resolution: Fast Flux DNS 271: 10.42 277: 4 (6, -0.01) 254: 2 (-17, 0.03) 279: 2 (8, -0.01) T1553.006 Subvert Trust Controls: Code Signing Policy Modification 272: 10.42 287: 4 (15, -0.03) 281: 2 (9, -0.02) 298: 2 (26, -0.05) T1016.001 System Network Configuration Discovery: Internet Connection Discovery 273: 10.42 289: 4 (16, -0.03) 282: 2 (9, -0.02) 300: 2 (27, -0.05) T1497.002 Virtualization/Sandbox Evasion: User Activity Based Checks 274: 10.42 291: 4 (17, -0.03) 285: 2 (11, -0.02) 303: 2 (29, -0.05) T1030 Data Transfer Size Limits 275: 10.21 228: 7 (-47, 0.09) 301: 1 (26, -0.05) 188: 6 (-87, 0.19) T1546.015 Event Triggered Execution: Component Object Model Hijacking 276: 10.21 232: 7 (-44, 0.09) 314: 1 (38, -0.06) 190: 6 (-86, 0.18) T1205 Traffic Signaling 277: 10.21 239: 7 (-38, 0.07) 366: 1 (89, -0.14) 198: 6 (-79, 0.17) T1565.001 Data Manipulation: Stored Data Manipulation 278: 9.42 298: 3 (20, -0.03) 245: 2 (-33, 0.06) 315: 1 (37, -0.06) T1480.001 Execution Guardrails: Environmental Keying 279: 9.42 302: 3 (23, -0.04) 257: 2 (-22, 0.04) 322: 1 (43, -0.07) T1003.006 OS Credential Dumping: DCSync 280: 9.42 305: 3 (25, -0.04) 271: 2 (-9, 0.02) 340: 1 (60, -0.1) T1111 Two-Factor Authentication Interception 281: 9.42 315: 3 (34, -0.06) 283: 2 (2, -0.0) 360: 1 (79, -0.12) T1220 XSL Script Processing 282: 9.42 316: 3 (34, -0.06) 286: 2 (4, -0.01) 365: 1 (83, -0.13) T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification 283: 9.21 246: 6 (-37, 0.07) 319: 1 (36, -0.06) 203: 5 (-80, 0.16) T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay 284: 9.21 248: 6 (-36, 0.07) 339: 1 (55, -0.09) 206: 5 (-78, 0.16) T1552.002 Unsecured Credentials: Credentials in Registry 285: 9.21 254: 6 (-31, 0.06) 370: 1 (85, -0.13) 212: 5 (-73, 0.15) T1185 Man in the Browser 286: 9.0 202: 9 (-84, 0.17) 473: 0 (187, -0.25) 161: 9 (-125, 0.28) T1098.002 Account Manipulation: Exchange Email Delegate Permissions 287: 8.42 321: 2 (34, -0.06) 231: 2 (-56, 0.11) 369: 0 (82, -0.12) T1583.004 Acquire Infrastructure: Server 288: 8.42 323: 2 (35, -0.06) 232: 2 (-56, 0.11) 374: 0 (86, -0.13) T1583.003 Acquire Infrastructure: Virtual Private Server 289: 8.42 324: 2 (35, -0.06) 233: 2 (-56, 0.11) 375: 0 (86, -0.13) T1586 Compromise Accounts 290: 8.42 330: 2 (40, -0.06) 239: 2 (-51, 0.1) 391: 0 (101, -0.15) T1586.002 Compromise Accounts: Email Accounts 291: 8.42 331: 2 (40, -0.06) 240: 2 (-51, 0.1) 392: 0 (101, -0.15) T1584.001 Compromise Infrastructure: Domains 292: 8.42 332: 2 (40, -0.06) 241: 2 (-51, 0.1) 397: 0 (105, -0.15) T1491 Defacement 293: 8.42 334: 2 (41, -0.07) 248: 2 (-45, 0.08) 409: 0 (116, -0.17) T1587.002 Develop Capabilities: Code Signing Certificates 294: 8.42 336: 2 (42, -0.07) 249: 2 (-45, 0.08) 413: 0 (119, -0.17) T1587.003 Develop Capabilities: Digital Certificates 295: 8.42 337: 2 (42, -0.07) 250: 2 (-45, 0.08) 414: 0 (119, -0.17) T1114.003 Email Collection: Email Forwarding Rule 296: 8.42 338: 2 (42, -0.07) 255: 2 (-41, 0.07) 420: 0 (124, -0.17) T1187 Forced Authentication 297: 8.42 341: 2 (44, -0.07) 261: 2 (-36, 0.06) 437: 0 (140, -0.19) T1592 Gather Victim Host Information 298: 8.42 342: 2 (44, -0.07) 262: 2 (-36, 0.06) 441: 0 (143, -0.19) T1589.003 Gather Victim Identity Information: Employee Names 299: 8.42 343: 2 (44, -0.07) 263: 2 (-36, 0.06) 449: 0 (150, -0.2) T1590 Gather Victim Network Information 300: 8.42 344: 2 (44, -0.07) 264: 2 (-36, 0.06) 450: 0 (150, -0.2) T1562.002 Impair Defenses: Disable Windows Event Logging 301: 8.42 348: 2 (47, -0.07) 267: 2 (-34, 0.06) 469: 0 (168, -0.22) T1588.004 Obtain Capabilities: Digital Certificates 302: 8.42 359: 2 (57, -0.09) 272: 2 (-30, 0.05) 487: 0 (185, -0.23) T1588.001 Obtain Capabilities: Malware 303: 8.42 360: 2 (57, -0.09) 273: 2 (-30, 0.05) 489: 0 (186, -0.23) T1594 Search Victim-Owned Websites 304: 8.42 366: 2 (62, -0.09) 276: 2 (-28, 0.05) 521: 0 (217, -0.26) T1218.003 Signed Binary Proxy Execution: CMSTP 305: 8.42 367: 2 (62, -0.09) 278: 2 (-27, 0.05) 523: 0 (218, -0.26) T1218.004 Signed Binary Proxy Execution: InstallUtil 306: 8.42 369: 2 (63, -0.09) 279: 2 (-27, 0.05) 524: 0 (218, -0.26) T1608.004 Stage Capabilities: Drive-by Target 307: 8.42 370: 2 (63, -0.09) 280: 2 (-27, 0.05) 529: 0 (222, -0.27) T1543.002 Create or Modify System Process: Systemd Service 308: 8.21 260: 5 (-48, 0.08) 297: 1 (-11, 0.02) 216: 4 (-92, 0.18) T1539 Steal Web Session Cookie 309: 8.21 267: 5 (-42, 0.07) 363: 1 (54, -0.08) 229: 4 (-80, 0.15) T1102.003 Web Service: One-Way Communication 310: 8.21 268: 5 (-42, 0.07) 375: 1 (65, -0.09) 233: 4 (-77, 0.14) T1547.005 Boot or Logon Autostart Execution: Security Support Provider 311: 7.21 269: 4 (-42, 0.07) 291: 1 (-20, 0.03) 235: 3 (-76, 0.14) T1565.002 Data Manipulation: Transmitted Data Manipulation 312: 7.21 273: 4 (-39, 0.07) 299: 1 (-13, 0.02) 240: 3 (-72, 0.13) T1561.001 Disk Wipe: Disk Content Wipe 313: 7.21 275: 4 (-38, 0.06) 305: 1 (-8, 0.01) 241: 3 (-72, 0.13) T1546.010 Event Triggered Execution: AppInit DLLs 314: 7.21 280: 4 (-34, 0.06) 311: 1 (-3, 0.0) 243: 3 (-71, 0.13) T1546.011 Event Triggered Execution: Application Shimming 315: 7.21 281: 4 (-34, 0.06) 312: 1 (-3, 0.0) 244: 3 (-71, 0.13) T1070.005 Indicator Removal on Host: Network Share Connection Removal 316: 7.21 282: 4 (-34, 0.06) 334: 1 (18, -0.03) 250: 3 (-66, 0.12) T1092 Communication Through Removable Media 317: 6.21 296: 3 (-21, 0.03) 294: 1 (-23, 0.04) 272: 2 (-45, 0.08) T1484.001 Domain Policy Modification: Group Policy Modification 318: 6.21 299: 3 (-19, 0.03) 307: 1 (-11, 0.02) 278: 2 (-40, 0.07) T1499 Endpoint Denial of Service 319: 6.21 300: 3 (-19, 0.03) 309: 1 (-10, 0.02) 280: 2 (-39, 0.07) T1546.012 Event Triggered Execution: Image File Execution Options Injection 320: 6.21 301: 3 (-19, 0.03) 315: 1 (-5, 0.01) 282: 2 (-38, 0.06) T1137.001 Office Application Startup: Office Template Macros 321: 6.21 306: 3 (-15, 0.02) 346: 1 (25, -0.04) 291: 2 (-30, 0.05) T1055.013 Process Injection: Process Doppelgänging 322: 6.21 308: 3 (-14, 0.02) 351: 1 (29, -0.04) 293: 2 (-29, 0.05) T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket 323: 6.21 311: 3 (-12, 0.02) 364: 1 (41, -0.06) 296: 2 (-27, 0.04) T1127 Trusted Developer Utilities Proxy Execution 324: 6.21 313: 3 (-11, 0.02) 368: 1 (44, -0.06) 301: 2 (-23, 0.04) T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild 325: 6.21 314: 3 (-11, 0.02) 369: 1 (44, -0.06) 302: 2 (-23, 0.04) T1543.004 Create or Modify System Process: Launch Daemon 326: 6.0 241: 6 (-85, 0.15) 418: 0 (92, -0.12) 185: 6 (-141, 0.28) T1132.002 Data Encoding: Non-Standard Encoding 327: 6.0 242: 6 (-85, 0.15) 421: 0 (94, -0.13) 187: 6 (-140, 0.27) T1055.004 Process Injection: Asynchronous Procedure Call 328: 6.0 250: 6 (-78, 0.13) 499: 0 (171, -0.21) 193: 6 (-135, 0.26) T1110.004 Brute Force: Credential Stuffing 329: 5.21 329: 2 (0, 0.0) 292: 1 (-37, 0.06) 311: 1 (-18, 0.03) T1546.009 Event Triggered Execution: AppCert DLLs 330: 5.21 340: 2 (10, -0.01) 310: 1 (-20, 0.03) 318: 1 (-12, 0.02) T1070.003 Indicator Removal on Host: Clear Command History 331: 5.21 350: 2 (19, -0.03) 332: 1 (1, -0.0) 329: 1 (-2, 0.0) T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs 332: 5.21 351: 2 (19, -0.03) 333: 1 (1, -0.0) 330: 1 (-2, 0.0) T1556.001 Modify Authentication Process: Domain Controller Authentication 333: 5.21 353: 2 (20, -0.03) 340: 1 (7, -0.01) 333: 1 (0, 0.0) T1556.002 Modify Authentication Process: Password Filter DLL 334: 5.21 354: 2 (20, -0.03) 341: 1 (7, -0.01) 335: 1 (1, -0.0) T1498 Network Denial of Service 335: 5.21 356: 2 (21, -0.03) 342: 1 (7, -0.01) 338: 1 (3, -0.0) T1588.003 Obtain Capabilities: Code Signing Certificates 336: 5.21 358: 2 (22, -0.03) 343: 1 (7, -0.01) 342: 1 (6, -0.01) T1137.004 Office Application Startup: Outlook Home Page 337: 5.21 361: 2 (24, -0.03) 348: 1 (11, -0.02) 344: 1 (7, -0.01) T1598.002 Phishing for Information: Spearphishing Attachment 338: 5.21 362: 2 (24, -0.03) 349: 1 (11, -0.02) 347: 1 (9, -0.01) T1090.004 Proxy: Domain Fronting 339: 5.21 364: 2 (25, -0.04) 352: 1 (13, -0.02) 349: 1 (10, -0.01) T1552.006 Unsecured Credentials: Group Policy Preferences 340: 5.21 373: 2 (33, -0.05) 371: 1 (31, -0.04) 363: 1 (23, -0.03) T1098.001 Account Manipulation: Additional Cloud Credentials 341: 4.21 377: 1 (36, -0.05) 288: 1 (-53, 0.08) 368: 0 (27, -0.04) T1584.003 Compromise Infrastructure: Virtual Private Server 342: 4.21 382: 1 (40, -0.06) 295: 1 (-47, 0.07) 399: 0 (57, -0.08) T1584.006 Compromise Infrastructure: Web Services 343: 4.21 383: 1 (40, -0.06) 296: 1 (-47, 0.07) 400: 0 (57, -0.08) T1565.003 Data Manipulation: Runtime Data Manipulation 344: 4.21 386: 1 (42, -0.06) 298: 1 (-46, 0.07) 402: 0 (58, -0.08) T1530 Data from Cloud Storage Object 345: 4.21 387: 1 (42, -0.06) 302: 1 (-43, 0.07) 404: 0 (59, -0.08) T1491.002 Defacement: External Defacement 346: 4.21 388: 1 (42, -0.06) 303: 1 (-43, 0.07) 410: 0 (64, -0.08) T1491.001 Defacement: Internal Defacement 347: 4.21 389: 1 (42, -0.06) 304: 1 (-43, 0.07) 411: 0 (64, -0.08) T1484.002 Domain Policy Modification: Domain Trust Modification 348: 4.21 390: 1 (42, -0.06) 306: 1 (-42, 0.06) 418: 0 (70, -0.09) T1568.003 Dynamic Resolution: DNS Calculation 349: 4.21 391: 1 (42, -0.06) 308: 1 (-41, 0.06) 419: 0 (70, -0.09) T1546.001 Event Triggered Execution: Change Default File Association 350: 4.21 392: 1 (42, -0.06) 313: 1 (-37, 0.06) 428: 0 (78, -0.1) T1546.013 Event Triggered Execution: PowerShell Profile 351: 4.21 394: 1 (43, -0.06) 316: 1 (-35, 0.05) 431: 0 (80, -0.1) T1048.002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol 352: 4.21 397: 1 (45, -0.06) 317: 1 (-35, 0.05) 433: 0 (81, -0.1) T1211 Exploitation for Defense Evasion 353: 4.21 401: 1 (48, -0.06) 318: 1 (-35, 0.05) 436: 0 (83, -0.11) T1606 Forge Web Credentials 354: 4.21 403: 1 (49, -0.06) 320: 1 (-34, 0.05) 438: 0 (84, -0.11) T1606.002 Forge Web Credentials: SAML Tokens 355: 4.21 404: 1 (49, -0.06) 321: 1 (-34, 0.05) 439: 0 (84, -0.11) T1606.001 Forge Web Credentials: Web Cookies 356: 4.21 405: 1 (49, -0.06) 322: 1 (-34, 0.05) 440: 0 (84, -0.11) T1592.004 Gather Victim Host Information: Client Configurations 357: 4.21 406: 1 (49, -0.06) 323: 1 (-34, 0.05) 442: 0 (85, -0.11) T1592.002 Gather Victim Host Information: Software 358: 4.21 407: 1 (49, -0.06) 324: 1 (-34, 0.05) 445: 0 (87, -0.11) T1590.001 Gather Victim Network Information: Domain Properties 359: 4.21 408: 1 (49, -0.06) 325: 1 (-34, 0.05) 452: 0 (93, -0.11) T1590.005 Gather Victim Network Information: IP Addresses 360: 4.21 409: 1 (49, -0.06) 326: 1 (-34, 0.05) 453: 0 (93, -0.11) T1591 Gather Victim Org Information 361: 4.21 410: 1 (49, -0.06) 327: 1 (-34, 0.05) 457: 0 (96, -0.12) T1591.002 Gather Victim Org Information: Business Relationships 362: 4.21 411: 1 (49, -0.06) 328: 1 (-34, 0.05) 458: 0 (96, -0.12) T1200 Hardware Additions 363: 4.21 412: 1 (49, -0.06) 329: 1 (-34, 0.05) 462: 0 (99, -0.12) T1574.012 Hijack Execution Flow: COR_PROFILER 364: 4.21 413: 1 (49, -0.06) 331: 1 (-33, 0.05) 465: 0 (101, -0.12) T1534 Internal Spearphishing 365: 4.21 416: 1 (51, -0.07) 337: 1 (-28, 0.04) 474: 0 (109, -0.13) T1557.002 Man-in-the-Middle: ARP Cache Poisoning 366: 4.21 417: 1 (51, -0.07) 338: 1 (-28, 0.04) 475: 0 (109, -0.13) T1588.006 Obtain Capabilities: Vulnerabilities 367: 4.21 423: 1 (56, -0.07) 344: 1 (-23, 0.03) 491: 0 (124, -0.14) T1137.006 Office Application Startup: Add-ins 368: 4.21 424: 1 (56, -0.07) 345: 1 (-23, 0.03) 492: 0 (124, -0.14) T1137.002 Office Application Startup: Office Test 369: 4.21 425: 1 (56, -0.07) 347: 1 (-22, 0.03) 493: 0 (124, -0.14) T1542.002 Pre-OS Boot: Component Firmware 370: 4.21 428: 1 (58, -0.07) 350: 1 (-20, 0.03) 498: 0 (128, -0.15) T1593 Search Open Websites/Domains 371: 4.21 433: 1 (62, -0.08) 355: 1 (-16, 0.02) 518: 0 (147, -0.17) T1218.008 Signed Binary Proxy Execution: Odbcconf 372: 4.21 435: 1 (63, -0.08) 356: 1 (-16, 0.02) 525: 0 (153, -0.17) T1216 Signed Script Proxy Execution 373: 4.21 438: 1 (65, -0.08) 357: 1 (-16, 0.02) 526: 0 (153, -0.17) T1216.001 Signed Script Proxy Execution: PubPrn 374: 4.21 439: 1 (65, -0.08) 358: 1 (-16, 0.02) 527: 0 (153, -0.17) T1608.005 Stage Capabilities: Link Target 375: 4.21 440: 1 (65, -0.08) 359: 1 (-16, 0.02) 531: 0 (156, -0.17) T1608.001 Stage Capabilities: Upload Malware 376: 4.21 441: 1 (65, -0.08) 360: 1 (-16, 0.02) 532: 0 (156, -0.17) T1608.002 Stage Capabilities: Upload Tool 377: 4.21 442: 1 (65, -0.08) 361: 1 (-16, 0.02) 533: 0 (156, -0.17) T1528 Steal Application Access Token 378: 4.21 443: 1 (65, -0.08) 362: 1 (-16, 0.02) 534: 0 (156, -0.17) T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass 379: 4.21 444: 1 (65, -0.08) 365: 1 (-14, 0.02) 536: 0 (157, -0.17) T1205.001 Traffic Signaling: Port Knocking 380: 4.21 446: 1 (66, -0.08) 367: 1 (-13, 0.02) 541: 0 (161, -0.17) T1550.001 Use Alternate Authentication Material: Application Access Token 381: 4.21 449: 1 (68, -0.08) 372: 1 (-9, 0.01) 546: 0 (165, -0.18) T1550.004 Use Alternate Authentication Material: Web Session Cookie 382: 4.21 450: 1 (68, -0.08) 373: 1 (-9, 0.01) 547: 0 (165, -0.18) T1078.004 Valid Accounts: Cloud Accounts 383: 4.21 451: 1 (68, -0.08) 374: 1 (-9, 0.01) 549: 0 (166, -0.18) T1554 Compromise Client Software Binary 384: 4.0 270: 4 (-114, 0.17) 411: 0 (27, -0.03) 215: 4 (-169, 0.28) T1555.001 Credentials from Password Stores: Keychain 385: 4.0 271: 4 (-114, 0.17) 419: 0 (34, -0.04) 217: 4 (-168, 0.28) T1553.004 Subvert Trust Controls: Install Root Certificate 386: 4.0 288: 4 (-98, 0.15) 536: 0 (150, -0.16) 231: 4 (-155, 0.25) T1547.011 Boot or Logon Autostart Execution: Plist Modification 387: 3.0 294: 3 (-93, 0.14) 394: 0 (7, -0.01) 234: 3 (-153, 0.25) T1059.002 Command and Scripting Interpreter: AppleScript 388: 3.0 295: 3 (-93, 0.14) 408: 0 (20, -0.03) 238: 3 (-150, 0.24) T1564.006 Hide Artifacts: Run Virtual Instance 389: 3.0 304: 3 (-85, 0.12) 456: 0 (67, -0.08) 248: 3 (-141, 0.22) T1542.001 Pre-OS Boot: System Firmware 390: 3.0 307: 3 (-83, 0.12) 497: 0 (107, -0.12) 252: 3 (-138, 0.21) T1055.003 Process Injection: Thread Execution Hijacking 391: 3.0 309: 3 (-82, 0.12) 503: 0 (112, -0.13) 253: 3 (-138, 0.21) T1569.001 System Services: Launchctl 392: 3.0 312: 3 (-80, 0.11) 541: 0 (149, -0.16) 260: 3 (-132, 0.2) T1548.001 Abuse Elevation Control Mechanism: Setuid and Setgid 393: 2.0 317: 2 (-76, 0.11) 377: 0 (-16, 0.02) 263: 2 (-130, 0.2) T1134.004 Access Token Manipulation: Parent PID Spoofing 394: 2.0 318: 2 (-76, 0.11) 380: 0 (-14, 0.02) 264: 2 (-130, 0.2) T1134.005 Access Token Manipulation: SID-History Injection 395: 2.0 319: 2 (-76, 0.11) 381: 0 (-14, 0.02) 265: 2 (-130, 0.2) T1531 Account Access Removal 396: 2.0 320: 2 (-76, 0.11) 382: 0 (-14, 0.02) 266: 2 (-130, 0.2) T1098.004 Account Manipulation: SSH Authorized Keys 397: 2.0 322: 2 (-75, 0.1) 385: 0 (-12, 0.02) 267: 2 (-130, 0.2) T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions 398: 2.0 325: 2 (-73, 0.1) 392: 0 (-6, 0.01) 268: 2 (-130, 0.2) T1547.008 Boot or Logon Autostart Execution: LSASS Driver 399: 2.0 326: 2 (-73, 0.1) 393: 0 (-6, 0.01) 269: 2 (-130, 0.19) T1547.013 Boot or Logon Autostart Execution: XDG Autostart Entries 400: 2.0 327: 2 (-73, 0.1) 399: 0 (-1, 0.0) 270: 2 (-130, 0.19) T1037.004 Boot or Logon Initialization Scripts: RC Scripts 401: 2.0 328: 2 (-73, 0.1) 402: 0 (1, -0.0) 271: 2 (-130, 0.19) T1609 Container Administration Command 402: 2.0 333: 2 (-69, 0.09) 414: 0 (12, -0.01) 273: 2 (-129, 0.19) T1610 Deploy Container 403: 2.0 335: 2 (-68, 0.09) 426: 0 (23, -0.03) 276: 2 (-127, 0.19) T1611 Escape to Host 404: 2.0 339: 2 (-65, 0.09) 433: 0 (29, -0.03) 281: 2 (-123, 0.18) T1574.007 Hijack Execution Flow: Path Interception by PATH Environment Variable 405: 2.0 345: 2 (-60, 0.08) 460: 0 (55, -0.06) 283: 2 (-122, 0.18) T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 406: 2.0 346: 2 (-60, 0.08) 461: 0 (55, -0.06) 284: 2 (-122, 0.18) T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 407: 2.0 347: 2 (-60, 0.08) 462: 0 (55, -0.06) 285: 2 (-122, 0.18) T1562.006 Impair Defenses: Indicator Blocking 408: 2.0 349: 2 (-59, 0.08) 468: 0 (60, -0.07) 286: 2 (-122, 0.18) T1202 Indirect Command Execution 409: 2.0 352: 2 (-57, 0.07) 470: 0 (61, -0.07) 287: 2 (-122, 0.18) T1556.003 Modify Authentication Process: Pluggable Authentication Modules 410: 2.0 355: 2 (-55, 0.07) 476: 0 (66, -0.07) 288: 2 (-122, 0.17) T1003.007 OS Credential Dumping: Proc Filesystem 411: 2.0 357: 2 (-54, 0.07) 490: 0 (79, -0.09) 289: 2 (-122, 0.17) T1055.011 Process Injection: Extra Window Memory Injection 412: 2.0 363: 2 (-49, 0.06) 500: 0 (88, -0.1) 292: 2 (-120, 0.17) T1021.003 Remote Services: Distributed Component Object Model 413: 2.0 365: 2 (-48, 0.06) 509: 0 (96, -0.1) 294: 2 (-119, 0.17) T1218.002 Signed Binary Proxy Execution: Control Panel 414: 2.0 368: 2 (-46, 0.06) 529: 0 (115, -0.12) 295: 2 (-119, 0.17) T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket 415: 2.0 371: 2 (-44, 0.06) 534: 0 (119, -0.13) 297: 2 (-118, 0.17) T1553.001 Subvert Trust Controls: Gatekeeper Bypass 416: 2.0 372: 2 (-44, 0.06) 535: 0 (119, -0.13) 299: 2 (-117, 0.16) T1548.004 Abuse Elevation Control Mechanism: Elevated Execution with Prompt 417: 1.0 374: 1 (-43, 0.05) 376: 0 (-41, 0.05) 304: 1 (-113, 0.16) T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 418: 1.0 375: 1 (-43, 0.05) 378: 0 (-40, 0.05) 305: 1 (-113, 0.16) T1134.003 Access Token Manipulation: Make and Impersonate Token 419: 1.0 376: 1 (-43, 0.05) 379: 0 (-40, 0.05) 306: 1 (-113, 0.16) T1547.014 Boot or Logon Autostart Execution: Active Setup 420: 1.0 378: 1 (-42, 0.05) 390: 0 (-30, 0.04) 307: 1 (-113, 0.16) T1547.002 Boot or Logon Autostart Execution: Authentication Package 421: 1.0 379: 1 (-42, 0.05) 391: 0 (-30, 0.04) 308: 1 (-113, 0.16) T1547.012 Boot or Logon Autostart Execution: Print Processors 422: 1.0 380: 1 (-42, 0.05) 396: 0 (-26, 0.03) 309: 1 (-113, 0.15) T1037.005 Boot or Logon Initialization Scripts: Startup Items 423: 1.0 381: 1 (-42, 0.05) 403: 0 (-20, 0.02) 310: 1 (-113, 0.15) T1613 Container and Resource Discovery 424: 1.0 384: 1 (-40, 0.05) 415: 0 (-9, 0.01) 313: 1 (-111, 0.15) T1555.002 Credentials from Password Stores: Securityd Memory 425: 1.0 385: 1 (-40, 0.05) 420: 0 (-5, 0.01) 314: 1 (-111, 0.15) T1546.007 Event Triggered Execution: Netsh Helper DLL 426: 1.0 393: 1 (-33, 0.04) 436: 0 (10, -0.01) 319: 1 (-107, 0.14) T1546.002 Event Triggered Execution: Screensaver 427: 1.0 395: 1 (-32, 0.04) 437: 0 (10, -0.01) 320: 1 (-107, 0.14) T1546.004 Event Triggered Execution: Unix Shell Configuration Modification 428: 1.0 396: 1 (-32, 0.04) 439: 0 (11, -0.01) 321: 1 (-107, 0.14) T1011 Exfiltration Over Other Network Medium 429: 1.0 398: 1 (-31, 0.04) 441: 0 (12, -0.01) 323: 1 (-106, 0.14) T1011.001 Exfiltration Over Other Network Medium: Exfiltration Over Bluetooth 430: 1.0 399: 1 (-31, 0.04) 442: 0 (12, -0.01) 324: 1 (-106, 0.14) T1567.001 Exfiltration Over Web Service: Exfiltration to Code Repository 431: 1.0 400: 1 (-31, 0.04) 443: 0 (12, -0.01) 325: 1 (-106, 0.14) T1495 Firmware Corruption 432: 1.0 402: 1 (-30, 0.04) 445: 0 (13, -0.01) 326: 1 (-106, 0.14) T1574.004 Hijack Execution Flow: Dylib Hijacking 433: 1.0 414: 1 (-19, 0.02) 458: 0 (25, -0.03) 327: 1 (-106, 0.14) T1574.010 Hijack Execution Flow: Services File Permissions Weakness 434: 1.0 415: 1 (-19, 0.02) 463: 0 (29, -0.03) 328: 1 (-106, 0.14) T1036.006 Masquerading: Space after Filename 435: 1.0 418: 1 (-17, 0.02) 474: 0 (39, -0.04) 332: 1 (-103, 0.13) T1556.004 Modify Authentication Process: Network Device Authentication 436: 1.0 419: 1 (-17, 0.02) 475: 0 (39, -0.04) 334: 1 (-102, 0.13) T1601 Modify System Image 437: 1.0 420: 1 (-17, 0.02) 482: 0 (45, -0.05) 336: 1 (-101, 0.13) T1601.001 Modify System Image: Patch System Image 438: 1.0 421: 1 (-17, 0.02) 484: 0 (46, -0.05) 337: 1 (-101, 0.13) T1003.008 OS Credential Dumping: /etc/passwd and /etc/shadow 439: 1.0 422: 1 (-17, 0.02) 489: 0 (50, -0.05) 339: 1 (-100, 0.13) T1137.003 Office Application Startup: Outlook Forms 440: 1.0 426: 1 (-14, 0.02) 492: 0 (52, -0.06) 343: 1 (-97, 0.12) T1137.005 Office Application Startup: Outlook Rules 441: 1.0 427: 1 (-14, 0.02) 493: 0 (52, -0.06) 345: 1 (-96, 0.12) T1055.005 Process Injection: Thread Local Storage 442: 1.0 429: 1 (-13, 0.01) 504: 0 (62, -0.07) 348: 1 (-94, 0.12) T1563 Remote Service Session Hijacking 443: 1.0 430: 1 (-13, 0.01) 506: 0 (63, -0.07) 350: 1 (-93, 0.12) T1563.002 Remote Service Session Hijacking: RDP Hijacking 444: 1.0 431: 1 (-13, 0.01) 507: 0 (63, -0.07) 351: 1 (-93, 0.12) T1207 Rogue Domain Controller 445: 1.0 432: 1 (-13, 0.01) 510: 0 (65, -0.07) 353: 1 (-92, 0.12) T1505.002 Server Software Component: Transport Agent 446: 1.0 434: 1 (-12, 0.01) 527: 0 (81, -0.08) 354: 1 (-92, 0.12) T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm 447: 1.0 436: 1 (-11, 0.01) 530: 0 (83, -0.08) 356: 1 (-91, 0.11) T1218.012 Signed Binary Proxy Execution: Verclsid 448: 1.0 437: 1 (-11, 0.01) 531: 0 (83, -0.08) 357: 1 (-91, 0.11) T1614 System Location Discovery 449: 1.0 445: 1 (-4, 0.0) 540: 0 (91, -0.09) 359: 1 (-90, 0.11) T1552.003 Unsecured Credentials: Bash History 450: 1.0 447: 1 (-3, 0.0) 543: 0 (93, -0.09) 361: 1 (-89, 0.11) T1552.005 Unsecured Credentials: Cloud Instance Metadata API 451: 1.0 448: 1 (-3, 0.0) 544: 0 (93, -0.09) 362: 1 (-89, 0.11) T1078.001 Valid Accounts: Default Accounts 452: 1.0 452: 1 (0, 0.0) 548: 0 (96, -0.1) 364: 1 (-88, 0.11) T1087.004 Account Discovery: Cloud Account 453: 0.0 453: 0 (0, 0.0) 383: 0 (-70, 0.08) 366: 0 (-87, 0.11) T1098.003 Account Manipulation: Add Office 365 Global Administrator Role 454: 0.0 454: 0 (0, 0.0) 384: 0 (-70, 0.08) 367: 0 (-87, 0.11) T1583.005 Acquire Infrastructure: Botnet 455: 0.0 455: 0 (0, 0.0) 386: 0 (-69, 0.08) 371: 0 (-84, 0.1) T1583.002 Acquire Infrastructure: DNS Server 456: 0.0 456: 0 (0, 0.0) 387: 0 (-69, 0.08) 372: 0 (-84, 0.1) T1595.001 Active Scanning: Scanning IP Blocks 457: 0.0 457: 0 (0, 0.0) 388: 0 (-69, 0.08) 378: 0 (-79, 0.09) T1020.001 Automated Exfiltration: Traffic Duplication 458: 0.0 458: 0 (0, 0.0) 389: 0 (-69, 0.08) 380: 0 (-78, 0.09) T1547.010 Boot or Logon Autostart Execution: Port Monitors 459: 0.0 459: 0 (0, 0.0) 395: 0 (-64, 0.07) 381: 0 (-78, 0.09) T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 460: 0.0 460: 0 (0, 0.0) 397: 0 (-63, 0.07) 382: 0 (-78, 0.09) T1547.003 Boot or Logon Autostart Execution: Time Providers 461: 0.0 461: 0 (0, 0.0) 398: 0 (-63, 0.07) 383: 0 (-78, 0.09) T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac) 462: 0.0 462: 0 (0, 0.0) 400: 0 (-62, 0.07) 384: 0 (-78, 0.09) T1037.003 Boot or Logon Initialization Scripts: Network Logon Script 463: 0.0 463: 0 (0, 0.0) 401: 0 (-62, 0.07) 385: 0 (-78, 0.09) T1612 Build Image on Host 464: 0.0 464: 0 (0, 0.0) 404: 0 (-60, 0.07) 386: 0 (-78, 0.09) T1580 Cloud Infrastructure Discovery 465: 0.0 465: 0 (0, 0.0) 405: 0 (-60, 0.07) 387: 0 (-78, 0.09) T1538 Cloud Service Dashboard 466: 0.0 466: 0 (0, 0.0) 406: 0 (-60, 0.07) 388: 0 (-78, 0.09) T1526 Cloud Service Discovery 467: 0.0 467: 0 (0, 0.0) 407: 0 (-60, 0.07) 389: 0 (-78, 0.09) T1059.008 Command and Scripting Interpreter: Network Device CLI 468: 0.0 468: 0 (0, 0.0) 409: 0 (-59, 0.07) 390: 0 (-78, 0.09) T1586.001 Compromise Accounts: Social Media Accounts 469: 0.0 469: 0 (0, 0.0) 410: 0 (-59, 0.07) 393: 0 (-76, 0.09) T1584.005 Compromise Infrastructure: Botnet 470: 0.0 470: 0 (0, 0.0) 412: 0 (-58, 0.07) 395: 0 (-75, 0.09) T1584.002 Compromise Infrastructure: DNS Server 471: 0.0 471: 0 (0, 0.0) 413: 0 (-58, 0.07) 396: 0 (-75, 0.09) T1136.003 Create Account: Cloud Account 472: 0.0 472: 0 (0, 0.0) 416: 0 (-56, 0.06) 401: 0 (-71, 0.08) T1602 Data from Configuration Repository 473: 0.0 473: 0 (0, 0.0) 422: 0 (-51, 0.06) 405: 0 (-68, 0.08) T1602.002 Data from Configuration Repository: Network Device Configuration Dump 474: 0.0 474: 0 (0, 0.0) 423: 0 (-51, 0.06) 406: 0 (-68, 0.08) T1602.001 Data from Configuration Repository: SNMP (MIB Dump) 475: 0.0 475: 0 (0, 0.0) 424: 0 (-51, 0.06) 407: 0 (-68, 0.08) T1213.001 Data from Information Repositories: Confluence 476: 0.0 476: 0 (0, 0.0) 425: 0 (-51, 0.06) 408: 0 (-68, 0.08) T1587.004 Develop Capabilities: Exploits 477: 0.0 477: 0 (0, 0.0) 427: 0 (-50, 0.06) 415: 0 (-62, 0.07) T1006 Direct Volume Access 478: 0.0 478: 0 (0, 0.0) 428: 0 (-50, 0.06) 417: 0 (-61, 0.07) T1499.003 Endpoint Denial of Service: Application Exhaustion Flood 479: 0.0 479: 0 (0, 0.0) 429: 0 (-50, 0.06) 421: 0 (-58, 0.06) T1499.004 Endpoint Denial of Service: Application or System Exploitation 480: 0.0 480: 0 (0, 0.0) 430: 0 (-50, 0.05) 422: 0 (-58, 0.06) T1499.001 Endpoint Denial of Service: OS Exhaustion Flood 481: 0.0 481: 0 (0, 0.0) 431: 0 (-50, 0.05) 423: 0 (-58, 0.06) T1499.002 Endpoint Denial of Service: Service Exhaustion Flood 482: 0.0 482: 0 (0, 0.0) 432: 0 (-50, 0.05) 424: 0 (-58, 0.06) T1546.014 Event Triggered Execution: Emond 483: 0.0 483: 0 (0, 0.0) 434: 0 (-49, 0.05) 429: 0 (-54, 0.06) T1546.006 Event Triggered Execution: LC_LOAD_DYLIB Addition 484: 0.0 484: 0 (0, 0.0) 435: 0 (-49, 0.05) 430: 0 (-54, 0.06) T1546.005 Event Triggered Execution: Trap 485: 0.0 485: 0 (0, 0.0) 438: 0 (-47, 0.05) 432: 0 (-53, 0.06) T1048.001 Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol 486: 0.0 486: 0 (0, 0.0) 440: 0 (-46, 0.05) 434: 0 (-52, 0.06) T1212 Exploitation for Credential Access 487: 0.0 487: 0 (0, 0.0) 444: 0 (-43, 0.05) 435: 0 (-52, 0.06) T1592.003 Gather Victim Host Information: Firmware 488: 0.0 488: 0 (0, 0.0) 446: 0 (-42, 0.04) 443: 0 (-45, 0.05) T1592.001 Gather Victim Host Information: Hardware 489: 0.0 489: 0 (0, 0.0) 447: 0 (-42, 0.04) 444: 0 (-45, 0.05) T1590.002 Gather Victim Network Information: DNS 490: 0.0 490: 0 (0, 0.0) 448: 0 (-42, 0.04) 451: 0 (-39, 0.04) T1590.006 Gather Victim Network Information: Network Security Appliances 491: 0.0 491: 0 (0, 0.0) 449: 0 (-42, 0.04) 454: 0 (-37, 0.04) T1590.004 Gather Victim Network Information: Network Topology 492: 0.0 492: 0 (0, 0.0) 450: 0 (-42, 0.04) 455: 0 (-37, 0.04) T1590.003 Gather Victim Network Information: Network Trust Dependencies 493: 0.0 493: 0 (0, 0.0) 451: 0 (-42, 0.04) 456: 0 (-37, 0.04) T1591.001 Gather Victim Org Information: Determine Physical Locations 494: 0.0 494: 0 (0, 0.0) 452: 0 (-42, 0.04) 459: 0 (-35, 0.04) T1591.003 Gather Victim Org Information: Identify Business Tempo 495: 0.0 495: 0 (0, 0.0) 453: 0 (-42, 0.04) 460: 0 (-35, 0.04) T1591.004 Gather Victim Org Information: Identify Roles 496: 0.0 496: 0 (0, 0.0) 454: 0 (-42, 0.04) 461: 0 (-35, 0.04) T1564.002 Hide Artifacts: Hidden Users 497: 0.0 497: 0 (0, 0.0) 455: 0 (-42, 0.04) 463: 0 (-34, 0.04) T1564.007 Hide Artifacts: VBA Stomping 498: 0.0 498: 0 (0, 0.0) 457: 0 (-41, 0.04) 464: 0 (-34, 0.04) T1574.005 Hijack Execution Flow: Executable Installer File Permissions Weakness 499: 0.0 499: 0 (0, 0.0) 459: 0 (-40, 0.04) 466: 0 (-33, 0.03) T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness 500: 0.0 500: 0 (0, 0.0) 464: 0 (-36, 0.04) 467: 0 (-33, 0.03) T1562.008 Impair Defenses: Disable Cloud Logs 501: 0.0 501: 0 (0, 0.0) 465: 0 (-36, 0.04) 468: 0 (-33, 0.03) T1562.007 Impair Defenses: Disable or Modify Cloud Firewall 502: 0.0 502: 0 (0, 0.0) 466: 0 (-36, 0.04) 470: 0 (-32, 0.03) T1562.003 Impair Defenses: Impair Command History Logging 503: 0.0 503: 0 (0, 0.0) 467: 0 (-36, 0.04) 471: 0 (-32, 0.03) T1525 Implant Internal Image 504: 0.0 504: 0 (0, 0.0) 469: 0 (-35, 0.04) 472: 0 (-32, 0.03) T1056.003 Input Capture: Web Portal Capture 505: 0.0 505: 0 (0, 0.0) 472: 0 (-33, 0.03) 473: 0 (-32, 0.03) T1578 Modify Cloud Compute Infrastructure 506: 0.0 506: 0 (0, 0.0) 477: 0 (-29, 0.03) 477: 0 (-29, 0.03) T1578.002 Modify Cloud Compute Infrastructure: Create Cloud Instance 507: 0.0 507: 0 (0, 0.0) 478: 0 (-29, 0.03) 478: 0 (-29, 0.03) T1578.001 Modify Cloud Compute Infrastructure: Create Snapshot 508: 0.0 508: 0 (0, 0.0) 479: 0 (-29, 0.03) 479: 0 (-29, 0.03) T1578.003 Modify Cloud Compute Infrastructure: Delete Cloud Instance 509: 0.0 509: 0 (0, 0.0) 480: 0 (-29, 0.03) 480: 0 (-29, 0.03) T1578.004 Modify Cloud Compute Infrastructure: Revert Cloud Instance 510: 0.0 510: 0 (0, 0.0) 481: 0 (-29, 0.03) 481: 0 (-29, 0.03) T1601.002 Modify System Image: Downgrade System Image 511: 0.0 511: 0 (0, 0.0) 483: 0 (-28, 0.03) 482: 0 (-29, 0.03) T1599 Network Boundary Bridging 512: 0.0 512: 0 (0, 0.0) 485: 0 (-27, 0.03) 483: 0 (-29, 0.03) T1599.001 Network Boundary Bridging: Network Address Translation Traversal 513: 0.0 513: 0 (0, 0.0) 486: 0 (-27, 0.03) 484: 0 (-29, 0.03) T1498.001 Network Denial of Service: Direct Network Flood 514: 0.0 514: 0 (0, 0.0) 487: 0 (-27, 0.03) 485: 0 (-29, 0.03) T1498.002 Network Denial of Service: Reflection Amplification 515: 0.0 515: 0 (0, 0.0) 488: 0 (-27, 0.03) 486: 0 (-29, 0.03) T1588.005 Obtain Capabilities: Exploits 516: 0.0 516: 0 (0, 0.0) 491: 0 (-25, 0.02) 488: 0 (-28, 0.03) T1069.003 Permission Groups Discovery: Cloud Groups 517: 0.0 517: 0 (0, 0.0) 494: 0 (-23, 0.02) 494: 0 (-23, 0.02) T1598.001 Phishing for Information: Spearphishing Service 518: 0.0 518: 0 (0, 0.0) 495: 0 (-23, 0.02) 496: 0 (-22, 0.02) T1542.004 Pre-OS Boot: ROMMONkit 519: 0.0 519: 0 (0, 0.0) 496: 0 (-23, 0.02) 499: 0 (-20, 0.02) T1542.005 Pre-OS Boot: TFTP Boot 520: 0.0 520: 0 (0, 0.0) 498: 0 (-22, 0.02) 500: 0 (-20, 0.02) T1055.009 Process Injection: Proc Memory 521: 0.0 521: 0 (0, 0.0) 501: 0 (-20, 0.02) 501: 0 (-20, 0.02) T1055.008 Process Injection: Ptrace System Calls 522: 0.0 522: 0 (0, 0.0) 502: 0 (-20, 0.02) 502: 0 (-20, 0.02) T1055.014 Process Injection: VDSO Hijacking 523: 0.0 523: 0 (0, 0.0) 505: 0 (-18, 0.02) 503: 0 (-20, 0.02) T1563.001 Remote Service Session Hijacking: SSH Hijacking 524: 0.0 524: 0 (0, 0.0) 508: 0 (-16, 0.02) 504: 0 (-20, 0.02) T1053.001 Scheduled Task/Job: At (Linux) 525: 0.0 525: 0 (0, 0.0) 511: 0 (-14, 0.01) 505: 0 (-20, 0.02) T1053.007 Scheduled Task/Job: Container Orchestration Job 526: 0.0 526: 0 (0, 0.0) 512: 0 (-14, 0.01) 506: 0 (-20, 0.02) T1053.004 Scheduled Task/Job: Launchd 527: 0.0 527: 0 (0, 0.0) 513: 0 (-14, 0.01) 507: 0 (-20, 0.02) T1053.006 Scheduled Task/Job: Systemd Timers 528: 0.0 528: 0 (0, 0.0) 514: 0 (-14, 0.01) 508: 0 (-20, 0.02) T1597 Search Closed Sources 529: 0.0 529: 0 (0, 0.0) 515: 0 (-14, 0.01) 509: 0 (-20, 0.02) T1597.002 Search Closed Sources: Purchase Technical Data 530: 0.0 530: 0 (0, 0.0) 516: 0 (-14, 0.01) 510: 0 (-20, 0.02) T1597.001 Search Closed Sources: Threat Intel Vendors 531: 0.0 531: 0 (0, 0.0) 517: 0 (-14, 0.01) 511: 0 (-20, 0.02) T1596 Search Open Technical Databases 532: 0.0 532: 0 (0, 0.0) 518: 0 (-14, 0.01) 512: 0 (-20, 0.02) T1596.004 Search Open Technical Databases: CDNs 533: 0.0 533: 0 (0, 0.0) 519: 0 (-14, 0.01) 513: 0 (-20, 0.02) T1596.001 Search Open Technical Databases: DNS/Passive DNS 534: 0.0 534: 0 (0, 0.0) 520: 0 (-14, 0.01) 514: 0 (-20, 0.02) T1596.003 Search Open Technical Databases: Digital Certificates 535: 0.0 535: 0 (0, 0.0) 521: 0 (-14, 0.01) 515: 0 (-20, 0.02) T1596.005 Search Open Technical Databases: Scan Databases 536: 0.0 536: 0 (0, 0.0) 522: 0 (-14, 0.01) 516: 0 (-20, 0.02) T1596.002 Search Open Technical Databases: WHOIS 537: 0.0 537: 0 (0, 0.0) 523: 0 (-14, 0.01) 517: 0 (-20, 0.02) T1593.002 Search Open Websites/Domains: Search Engines 538: 0.0 538: 0 (0, 0.0) 524: 0 (-14, 0.01) 519: 0 (-19, 0.02) T1593.001 Search Open Websites/Domains: Social Media 539: 0.0 539: 0 (0, 0.0) 525: 0 (-14, 0.01) 520: 0 (-19, 0.02) T1505.001 Server Software Component: SQL Stored Procedures 540: 0.0 540: 0 (0, 0.0) 526: 0 (-14, 0.01) 522: 0 (-18, 0.02) T1608.003 Stage Capabilities: Install Digital Certificate 541: 0.0 541: 0 (0, 0.0) 532: 0 (-9, 0.01) 530: 0 (-11, 0.01) T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting 542: 0.0 542: 0 (0, 0.0) 533: 0 (-9, 0.01) 535: 0 (-7, 0.01) T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking 543: 0.0 543: 0 (0, 0.0) 537: 0 (-6, 0.01) 537: 0 (-6, 0.01) T1195.003 Supply Chain Compromise: Compromise Hardware Supply Chain 544: 0.0 544: 0 (0, 0.0) 538: 0 (-6, 0.01) 538: 0 (-6, 0.01) T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Tools 545: 0.0 545: 0 (0, 0.0) 539: 0 (-6, 0.01) 539: 0 (-6, 0.01) T1537 Transfer Data to Cloud Account 546: 0.0 546: 0 (0, 0.0) 542: 0 (-4, 0.0) 542: 0 (-4, 0.0) T1552.007 Unsecured Credentials: Container API 547: 0.0 547: 0 (0, 0.0) 545: 0 (-2, 0.0) 544: 0 (-3, 0.0) T1535 Unused/Unsupported Cloud Regions 548: 0.0 548: 0 (0, 0.0) 546: 0 (-2, 0.0) 545: 0 (-3, 0.0) T1204.003 User Execution: Malicious Image 549: 0.0 549: 0 (0, 0.0) 547: 0 (-2, 0.0) 548: 0 (-1, 0.0) T1600 Weaken Encryption 550: 0.0 550: 0 (0, 0.0) 550: 0 (0, 0.0) 550: 0 (0, 0.0) T1600.002 Weaken Encryption: Disable Crypto Hardware 551: 0.0 551: 0 (0, 0.0) 551: 0 (0, 0.0) 551: 0 (0, 0.0) T1600.001 Weaken Encryption: Reduce Key Space 552: 0.0 552: 0 (0, 0.0) 552: 0 (0, 0.0) 552: 0 (0, 0.0) RBO Total 0.93 0.92 0.85 RBO Top 1000 0.93 0.92 0.85 Kendall TAU Total 0.89 0.86 0.7 Kendall Top 1000 0.89 0.86 0.7
worker1_merged_subt.print_rank_comp(with_val=True, sort_type=3, compared_ranks=range(0,3), comp_rank=True, top=20, tablefmt="latex")
\begin{tabular}{llllll}
\hline
ID & Name & R\_WEIGH & R\_TOT & R\_GRP & R\_SW \\
T1059 & Command and Scripting Interpreter & 1: 605.43 & 1: 339 (0, 0.0) & 1: 83 (0, 0.0) & 1: 256 (0, 0.0) \\
T1027 & Obfuscated Files or Information & 2: 478.86 & 3: 267 (1, -0.2) & 2: 66 (0, 0.0) & 5: 201 (3, -0.43) \\
T1105 & Ingress Tool Transfer & 3: 470.76 & 2: 291 (-1, 0.2) & 7: 56 (4, -0.4) & 2: 235 (-1, 0.2) \\
T1071 & Application Layer Protocol & 4: 404.45 & 4: 260 (0, 0.0) & 10: 45 (6, -0.43) & 3: 215 (-1, 0.14) \\
T1059.003 & Command and Scripting Interpreter: Windows Command Shell & 5: 402.92 & 6: 236 (1, -0.09) & 9: 52 (4, -0.29) & 7: 184 (2, -0.17) \\
T1071.001 & Application Layer Protocol: Web Protocols & 6: 366.61 & 7: 235 (1, -0.08) & 15: 41 (9, -0.43) & 6: 194 (0, 0.0) \\
T1082 & System Information Discovery & 7: 362.35 & 5: 250 (-2, 0.17) & 21: 35 (14, -0.5) & 4: 215 (-3, 0.27) \\
T1547 & Boot or Logon Autostart Execution & 8: 337.45 & 10: 193 (2, -0.11) & 11: 45 (3, -0.16) & 11: 148 (3, -0.16) \\
T1070 & Indicator Removal on Host & 9: 328.56 & 8: 213 (-1, 0.06) & 18: 36 (9, -0.33) & 8: 177 (-1, 0.06) \\
T1547.001 & Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder & 10: 322.45 & 13: 178 (3, -0.13) & 12: 45 (2, -0.09) & 14: 133 (4, -0.17) \\
T1083 & File and Directory Discovery & 11: 313.14 & 9: 204 (-2, 0.1) & 22: 34 (11, -0.33) & 9: 170 (-2, 0.1) \\
T1566 & Phishing & 12: 300.86 & 34: 89 (22, -0.48) & 3: 66 (-9, 0.6) & 93: 23 (81, -0.77) \\
T1204 & User Execution & 13: 300.02 & 28: 101 (15, -0.37) & 4: 62 (-9, 0.53) & 61: 39 (48, -0.65) \\
T1070.004 & Indicator Removal on Host: File Deletion & 14: 298.56 & 12: 183 (-2, 0.08) & 19: 36 (5, -0.15) & 12: 147 (-2, 0.08) \\
T1036 & Masquerading & 15: 290.45 & 15: 146 (0, 0.0) & 13: 45 (-2, 0.07) & 19: 101 (4, -0.12) \\
T1059.001 & Command and Scripting Interpreter: PowerShell & 16: 286.34 & 22: 113 (6, -0.16) & 8: 54 (-8, 0.33) & 39: 59 (23, -0.42) \\
T1204.002 & User Execution: Malicious File & 17: 279.18 & 33: 93 (16, -0.32) & 5: 58 (-12, 0.55) & 66: 35 (49, -0.59) \\
T1057 & Process Discovery & 18: 277.09 & 11: 184 (-7, 0.24) & 31: 29 (13, -0.27) & 10: 155 (-8, 0.29) \\
T1016 & System Network Configuration Discovery & 19: 270.3 & 14: 174 (-5, 0.15) & 29: 30 (10, -0.21) & 13: 144 (-6, 0.19) \\
T1566.001 & Phishing: Spearphishing Attachment & 20: 257.97 & 42: 75 (22, -0.35) & 6: 57 (-14, 0.54) & 104: 18 (84, -0.68) \\
RBO Total & & & 0.93 & 0.92 & 0.85 \\
RBO Top 20 & & & 0.85 & 0.64 & 0.8 \\
Kendall TAU Total & & & 0.89 & 0.86 & 0.7 \\
Kendall Top 20 & & & 0.72 & 0.27 & 0.66 \\
\hline
\end{tabular}
This is a comparism of the merged (metrics of sub-techniques sum up in corresponding main-technique) variant vs the unmerged variant. (PAPER_NOTE3_JUPYTER)
worker1.print_rank_comp2(worker1_merged_subt.t_dict, with_val=True, sort_type=3, compared_ranks=[[worker1.t_dict, "T_DICT1",[3]]], comp_rank=True, top=20)
ID Name R_WEIGH T_DICT1: R_WEIGH T1059 Command and Scripting Interpreter 1: 605.43 62: 69.73 (61, -0.97) T1027 Obfuscated Files or Information 2: 478.86 2: 429.39 (0, 0.0) T1105 Ingress Tool Transfer 3: 470.76 1: 470.76 (-2, 0.5) T1071 Application Layer Protocol 4: 404.45 159: 18.63 (155, -0.95) T1059.003 Command and Scripting Interpreter: Windows Command Shell 5: 402.92 3: 402.92 (-2, 0.25) T1071.001 Application Layer Protocol: Web Protocols 6: 366.61 4: 366.61 (-2, 0.2) T1082 System Information Discovery 7: 362.35 5: 362.35 (-2, 0.17) T1547 Boot or Logon Autostart Execution 8: 337.45 385: 1.0 (377, -0.96) T1070 Indicator Removal on Host 9: 328.56 145: 25.21 (136, -0.88) T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 10: 322.45 6: 322.45 (-4, 0.25) T1083 File and Directory Discovery 11: 313.14 7: 313.14 (-4, 0.22) T1566 Phishing 12: 300.86 251: 8.42 (239, -0.91) T1204 User Execution 13: 300.02 548: 0.0 (535, -0.95) T1070.004 Indicator Removal on Host: File Deletion 14: 298.56 8: 298.56 (-6, 0.27) T1036 Masquerading 15: 290.45 82: 51.1 (67, -0.69) T1059.001 Command and Scripting Interpreter: PowerShell 16: 286.34 9: 286.34 (-7, 0.28) T1204.002 User Execution: Malicious File 17: 279.18 10: 279.18 (-7, 0.26) T1057 Process Discovery 18: 277.09 11: 277.09 (-7, 0.24) T1016 System Network Configuration Discovery 19: 270.3 12: 265.09 (-7, 0.23) T1566.001 Phishing: Spearphishing Attachment 20: 257.97 13: 257.97 (-7, 0.21) RBO Total 0.83 RBO Top 20 0.57 Kendall TAU Total 0.78 Kendall Top 20 0.31
worker1_merged_subt.print_rank_comp(with_val=True, type='ds', sort_type=4, compared_ranks=range(0,4), comp_rank=True, top=20, tablefmt="latex")
\begin{tabular}{llllll}
\hline
Name & R\_WEIGH & NO\_T & R\_TOT & R\_GRP & R\_SW \\
Command: Command Execution (10/14) & 1: 13834.52 & 1: 242 (0, 0.0) & 1: 7376 (0, 0.0) & 1: 2012 (0, 0.0) & 1: 5364 (0, 0.0) \\
Process: Process Creation (12/14) & 2: 12333.09 & 2: 196 (0, 0.0) & 2: 6462 (0, 0.0) & 2: 1829 (0, 0.0) & 2: 4633 (0, 0.0) \\
Process: OS API Execution (8/14) & 3: 6238.7 & 7: 77 (4, -0.4) & 3: 3767 (0, 0.0) & 4: 770 (1, -0.14) & 3: 2997 (0, 0.0) \\
Network Traffic: Network Traffic Content (11/14) & 4: 5476.34 & 4: 90 (0, 0.0) & 4: 2735 (0, 0.0) & 3: 854 (-1, 0.14) & 4: 1881 (0, 0.0) \\
File: File Creation (10/14) & 5: 4690.71 & 5: 82 (0, 0.0) & 5: 2280 (0, 0.0) & 5: 751 (0, 0.0) & 6: 1529 (1, -0.09) \\
Network Traffic: Network Traffic Flow (11/14) & 6: 4459.93 & 6: 82 (0, 0.0) & 7: 2107 (1, -0.08) & 6: 733 (0, 0.0) & 8: 1374 (2, -0.14) \\
File: File Modification (8/14) & 7: 3999.86 & 3: 95 (-4, 0.4) & 6: 2183 (-1, 0.08) & 7: 566 (0, 0.0) & 5: 1617 (-2, 0.17) \\
Network Traffic: Network Connection Creation (10/14) & 8: 3331.81 & 8: 58 (0, 0.0) & 10: 1531 (2, -0.11) & 8: 561 (0, 0.0) & 11: 970 (3, -0.16) \\
Windows Registry: Windows Registry Key Modification (7/14) & 9: 3327.08 & 9: 56 (0, 0.0) & 8: 1889 (-1, 0.06) & 10: 448 (1, -0.05) & 7: 1441 (-2, 0.12) \\
Module: Module Load (6/14) & 10: 3160.32 & 11: 49 (1, -0.05) & 9: 1581 (-1, 0.05) & 9: 492 (-1, 0.05) & 9: 1089 (-1, 0.05) \\
Script: Script Execution (5/14) & 11: 2469.07 & 15: 21 (4, -0.15) & 12: 1291 (1, -0.04) & 12: 367 (1, -0.04) & 12: 924 (1, -0.04) \\
File: File Metadata (5/14) & 12: 2441.45 & 13: 32 (1, -0.04) & 11: 1334 (-1, 0.04) & 14: 345 (2, -0.08) & 10: 989 (-2, 0.09) \\
File: File Access (6/14) & 13: 2210.81 & 12: 45 (-1, 0.04) & 13: 1052 (0, 0.0) & 13: 361 (0, 0.0) & 13: 691 (0, 0.0) \\
Application Log: Application Log Content (10/14) & 14: 1997.41 & 10: 50 (-4, 0.17) & 15: 646 (1, -0.03) & 11: 421 (-3, 0.12) & 24: 225 (10, -0.26) \\
Windows Registry: Windows Registry Key Creation (3/14) & 15: 1329.59 & 19: 15 (4, -0.12) & 14: 755 (-1, 0.03) & 16: 179 (1, -0.03) & 14: 576 (-1, 0.03) \\
Service: Service Creation (6/14) & 16: 1031.56 & 20: 14 (4, -0.11) & 16: 595 (0, 0.0) & 19: 136 (3, -0.09) & 15: 459 (-1, 0.03) \\
Logon Session: Logon Session Creation (8/14) & 17: 999.21 & 14: 31 (-3, 0.1) & 25: 354 (8, -0.19) & 15: 201 (-2, 0.06) & 29: 153 (12, -0.26) \\
Process: Process Access (5/14) & 18: 988.34 & 17: 18 (-1, 0.03) & 17: 494 (-1, 0.03) & 17: 154 (-1, 0.03) & 20: 340 (2, -0.05) \\
User Account: User Account Authentication (7/14) & 19: 919.13 & 16: 20 (-3, 0.09) & 23: 428 (4, -0.1) & 18: 153 (-1, 0.03) & 23: 275 (4, -0.1) \\
Process: Process Metadata (4/14) & 20: 884.83 & 25: 10 (5, -0.11) & 18: 490 (-2, 0.05) & 20: 123 (0, 0.0) & 16: 367 (-4, 0.11) \\
RBO Total & & 0.88 & 0.97 & 0.96 & 0.94 \\
RBO Top 20 & & 0.9 & 0.96 & 0.95 & 0.91 \\
Kendall TAU Total & & 0.72 & 0.96 & 0.92 & 0.91 \\
Kendall Top 20 & & 0.77 & 0.91 & 0.89 & 0.82 \\
\hline
\end{tabular}
print()
#excludes=['Command: Command Execution', 'Process: Process Creation']
import math
sort_t=3 #W
sort_ds=4 #W
excludes=[]
sp=worker1_merged_subt.get_shortest_path_for_detection(sort_type_ds=sort_ds, ref_ds_dict=worker1_merged_subt.ds_dict, ref_t_dict=worker1_merged_subt.t_dict, excluded_ds=excludes)
dsstr=""
length=0
detectable_t = worker1_merged_subt.get_detectable_techniques(worker1_merged_subt.t_dict)
total_detectable_t = len(detectable_t)
total_detectable_tv = round(sum([worker1_merged_subt.t_dict[t].get_metric(sort_t) for t in detectable_t]),2)
total_t, total_tv, ntot_t_p, ntot_tv_p = 0, 0, 0, 0
t_notation = "$\sum T_{TOT}$"
tv_notation = "$\sum E_{W}$"
def calc_perc(part, whole):
percentage = 100 * float(part)/float(whole)
return percentage
for ds in sp['ds'].values():
this_t = len(ds.techniques_in_detection)
this_tv = ds.get_metric(sort_ds)
total_t += this_t
total_tv += this_tv
this_t_p = calc_perc(this_t, total_detectable_t)
ntot_t_p += this_t_p
this_tv_p = calc_perc(this_tv, total_detectable_tv)
ntot_tv_p += this_tv_p
#dsstr=f"{dsstr} => {ds}"
#dsstr=f"{dsstr} => {ds}"
# $\sum T_{TOT}$
#print(f"\t\\item {ds.name}, {t_notation} {this_t} ({round(this_t_p,2)}/{math.floor((ntot_t_p)*10)/10}%), {tv_notation} {this_tv} ({round(this_tv_p,2)}/{math.floor(ntot_tv_p*10)/10}%)".replace('%','\%'))
print(f"\t\\item {ds.name}, {tv_notation} {this_tv} ({round(this_tv_p,2)}% / {round(ntot_tv_p,2)}%), {t_notation} {this_t} ({round(this_t_p,2)}% / {round(ntot_t_p,2)}%)".replace('%','\%'))
length +=1
#print(dsstr)
print(length)
print(total_detectable_t, total_t)
print(total_detectable_tv, total_tv)
print(f"missing in detection {len(sp['missing'])}")
\item Command: Command Execution, $\sum E_{W}$ 13834.52 (63.74\% / 63.74\%), $\sum T_{TOT}$ 242 (51.27\% / 51.27\%)
\item Network Traffic: Network Traffic Content, $\sum E_{W}$ 4246.34 (19.56\% / 83.31\%), $\sum T_{TOT}$ 71 (15.04\% / 66.31\%)
\item Process: Process Creation, $\sum E_{W}$ 1205.74 (5.56\% / 88.86\%), $\sum T_{TOT}$ 26 (5.51\% / 71.82\%)
\item File: File Metadata, $\sum E_{W}$ 739.68 (3.41\% / 92.27\%), $\sum T_{TOT}$ 13 (2.75\% / 74.58\%)
\item User Account: User Account Authentication, $\sum E_{W}$ 507.84 (2.34\% / 94.61\%), $\sum T_{TOT}$ 15 (3.18\% / 77.75\%)
\item Process: OS API Execution, $\sum E_{W}$ 477.92 (2.2\% / 96.81\%), $\sum T_{TOT}$ 20 (4.24\% / 81.99\%)
\item Network Traffic: Network Traffic Flow, $\sum E_{W}$ 220.93 (1.02\% / 97.83\%), $\sum T_{TOT}$ 14 (2.97\% / 84.96\%)
\item File: File Creation, $\sum E_{W}$ 119.36 (0.55\% / 98.38\%), $\sum T_{TOT}$ 9 (1.91\% / 86.86\%)
\item Application Log: Application Log Content, $\sum E_{W}$ 85.99 (0.4\% / 98.77\%), $\sum T_{TOT}$ 11 (2.33\% / 89.19\%)
\item Driver: Driver Load, $\sum E_{W}$ 56.31 (0.26\% / 99.03\%), $\sum T_{TOT}$ 1 (0.21\% / 89.41\%)
\item Drive: Drive Modification, $\sum E_{W}$ 52.47 (0.24\% / 99.28\%), $\sum T_{TOT}$ 2 (0.42\% / 89.83\%)
\item Active Directory: Active Directory Credential Request, $\sum E_{W}$ 42.68 (0.2\% / 99.47\%), $\sum T_{TOT}$ 4 (0.85\% / 90.68\%)
\item File: File Content, $\sum E_{W}$ 33.05 (0.15\% / 99.62\%), $\sum T_{TOT}$ 2 (0.42\% / 91.1\%)
\item Logon Session: Logon Session Creation, $\sum E_{W}$ 23.63 (0.11\% / 99.73\%), $\sum T_{TOT}$ 5 (1.06\% / 92.16\%)
\item User Account: User Account Modification, $\sum E_{W}$ 18.84 (0.09\% / 99.82\%), $\sum T_{TOT}$ 5 (1.06\% / 93.22\%)
\item Firmware: Firmware Modification, $\sum E_{W}$ 15.42 (0.07\% / 99.89\%), $\sum T_{TOT}$ 4 (0.85\% / 94.07\%)
\item File: File Access, $\sum E_{W}$ 8.21 (0.04\% / 99.93\%), $\sum T_{TOT}$ 1 (0.21\% / 94.28\%)
\item Drive: Drive Access, $\sum E_{W}$ 6.21 (0.03\% / 99.96\%), $\sum T_{TOT}$ 1 (0.21\% / 94.49\%)
\item Cloud Storage: Cloud Storage Access, $\sum E_{W}$ 4.21 (0.02\% / 99.98\%), $\sum T_{TOT}$ 1 (0.21\% / 94.7\%)
\item File: File Modification, $\sum E_{W}$ 3.0 (0.01\% / 99.99\%), $\sum T_{TOT}$ 11 (2.33\% / 97.03\%)
\item Logon Session: Logon Session Metadata, $\sum E_{W}$ 2.0 (0.01\% / 100.0\%), $\sum T_{TOT}$ 1 (0.21\% / 97.25\%)
\item Instance: Instance Creation, $\sum E_{W}$ 0.0 (0.0\% / 100.0\%), $\sum T_{TOT}$ 3 (0.64\% / 97.88\%)
\item Snapshot: Snapshot Creation, $\sum E_{W}$ 0.0 (0.0\% / 100.0\%), $\sum T_{TOT}$ 2 (0.42\% / 98.31\%)
\item Cloud Service: Cloud Service Disable, $\sum E_{W}$ 0.0 (0.0\% / 100.0\%), $\sum T_{TOT}$ 1 (0.21\% / 98.52\%)
\item Cloud Service: Cloud Service Enumeration, $\sum E_{W}$ 0.0 (0.0\% / 100.0\%), $\sum T_{TOT}$ 1 (0.21\% / 98.73\%)
\item Cloud Storage: Cloud Storage Enumeration, $\sum E_{W}$ 0.0 (0.0\% / 100.0\%), $\sum T_{TOT}$ 1 (0.21\% / 98.94\%)
\item Firewall: Firewall Disable, $\sum E_{W}$ 0.0 (0.0\% / 100.0\%), $\sum T_{TOT}$ 1 (0.21\% / 99.15\%)
\item Image: Image Creation, $\sum E_{W}$ 0.0 (0.0\% / 100.0\%), $\sum T_{TOT}$ 1 (0.21\% / 99.36\%)
\item Instance: Instance Deletion, $\sum E_{W}$ 0.0 (0.0\% / 100.0\%), $\sum T_{TOT}$ 1 (0.21\% / 99.58\%)
\item Instance: Instance Modification, $\sum E_{W}$ 0.0 (0.0\% / 100.0\%), $\sum T_{TOT}$ 1 (0.21\% / 99.79\%)
\item User Account: User Account Creation, $\sum E_{W}$ 0.0 (0.0\% / 100.0\%), $\sum T_{TOT}$ 1 (0.21\% / 100.0\%)
31
472 472
21704.35 21704.350000000002
missing in detection 0
vis.get_levels_shortest_path_for_detection(fig_height=650, max_levels=5, sort_type_ds=4, sort_type_ds_vertic=4, ref_ds_dict=worker1_merged_subt.ds_dict, ref_t_dict=worker1_merged_subt.t_dict, worker=worker1)
print(worker1_merged_subt.get_shortest_path_for_detection(sort_type_ds=4, ref_ds_dict=worker1_merged_subt.ds_dict, ref_t_dict=worker1_merged_subt.t_dict, excluded_ds=['Command: Command Execution'])['missing'])
['T1609', 'T1003.005', 'T1059.008']
from collections import defaultdict
distr = defaultdict(list)
count = 0
for t in worker1_merged_subt.t_dict.values():
if len(t.datasources) == 0:
count += 1
for tac in t.tactics:
distr[tac].append(t)
for tac in distr.keys():
print(f"\n{tac}: {len(distr[tac])}")
for t in distr[tac]:
print(f"{t.id} {t.name} {t.tactics}")
print(f"\nTotal {count}")
initial-access: 5 T1195 Supply Chain Compromise ['initial-access'] T1200 Hardware Additions ['initial-access'] T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Tools ['initial-access'] T1195.002 Supply Chain Compromise: Compromise Software Supply Chain ['initial-access'] T1195.003 Supply Chain Compromise: Compromise Hardware Supply Chain ['initial-access'] execution: 1 T1203 Exploitation for Client Execution ['execution'] defense-evasion: 2 T1211 Exploitation for Defense Evasion ['defense-evasion'] T1027.005 Obfuscated Files or Information: Indicator Removal from Tools ['defense-evasion'] credential-access: 1 T1212 Exploitation for Credential Access ['credential-access'] resource-development: 38 T1583 Acquire Infrastructure ['resource-development'] T1584 Compromise Infrastructure ['resource-development'] T1585 Establish Accounts ['resource-development'] T1586 Compromise Accounts ['resource-development'] T1587 Develop Capabilities ['resource-development'] T1588 Obtain Capabilities ['resource-development'] T1608 Stage Capabilities ['resource-development'] T1583.001 Acquire Infrastructure: Domains ['resource-development'] T1583.002 Acquire Infrastructure: DNS Server ['resource-development'] T1583.003 Acquire Infrastructure: Virtual Private Server ['resource-development'] T1583.004 Acquire Infrastructure: Server ['resource-development'] T1583.005 Acquire Infrastructure: Botnet ['resource-development'] T1583.006 Acquire Infrastructure: Web Services ['resource-development'] T1584.001 Compromise Infrastructure: Domains ['resource-development'] T1584.002 Compromise Infrastructure: DNS Server ['resource-development'] T1584.003 Compromise Infrastructure: Virtual Private Server ['resource-development'] T1584.004 Compromise Infrastructure: Server ['resource-development'] T1584.005 Compromise Infrastructure: Botnet ['resource-development'] T1584.006 Compromise Infrastructure: Web Services ['resource-development'] T1585.001 Establish Accounts: Social Media Accounts ['resource-development'] T1585.002 Establish Accounts: Email Accounts ['resource-development'] T1586.001 Compromise Accounts: Social Media Accounts ['resource-development'] T1586.002 Compromise Accounts: Email Accounts ['resource-development'] T1587.001 Develop Capabilities: Malware ['resource-development'] T1587.002 Develop Capabilities: Code Signing Certificates ['resource-development'] T1587.003 Develop Capabilities: Digital Certificates ['resource-development'] T1587.004 Develop Capabilities: Exploits ['resource-development'] T1588.001 Obtain Capabilities: Malware ['resource-development'] T1588.002 Obtain Capabilities: Tool ['resource-development'] T1588.003 Obtain Capabilities: Code Signing Certificates ['resource-development'] T1588.004 Obtain Capabilities: Digital Certificates ['resource-development'] T1588.005 Obtain Capabilities: Exploits ['resource-development'] T1588.006 Obtain Capabilities: Vulnerabilities ['resource-development'] T1608.001 Stage Capabilities: Upload Malware ['resource-development'] T1608.002 Stage Capabilities: Upload Tool ['resource-development'] T1608.003 Stage Capabilities: Install Digital Certificate ['resource-development'] T1608.004 Stage Capabilities: Drive-by Target ['resource-development'] T1608.005 Stage Capabilities: Link Target ['resource-development'] reconnaissance: 33 T1589 Gather Victim Identity Information ['reconnaissance'] T1590 Gather Victim Network Information ['reconnaissance'] T1591 Gather Victim Org Information ['reconnaissance'] T1592 Gather Victim Host Information ['reconnaissance'] T1593 Search Open Websites/Domains ['reconnaissance'] T1596 Search Open Technical Databases ['reconnaissance'] T1597 Search Closed Sources ['reconnaissance'] T1589.001 Gather Victim Identity Information: Credentials ['reconnaissance'] T1589.002 Gather Victim Identity Information: Email Addresses ['reconnaissance'] T1589.003 Gather Victim Identity Information: Employee Names ['reconnaissance'] T1590.001 Gather Victim Network Information: Domain Properties ['reconnaissance'] T1590.002 Gather Victim Network Information: DNS ['reconnaissance'] T1590.003 Gather Victim Network Information: Network Trust Dependencies ['reconnaissance'] T1590.004 Gather Victim Network Information: Network Topology ['reconnaissance'] T1590.005 Gather Victim Network Information: IP Addresses ['reconnaissance'] T1590.006 Gather Victim Network Information: Network Security Appliances ['reconnaissance'] T1591.001 Gather Victim Org Information: Determine Physical Locations ['reconnaissance'] T1591.002 Gather Victim Org Information: Business Relationships ['reconnaissance'] T1591.003 Gather Victim Org Information: Identify Business Tempo ['reconnaissance'] T1591.004 Gather Victim Org Information: Identify Roles ['reconnaissance'] T1592.001 Gather Victim Host Information: Hardware ['reconnaissance'] T1592.002 Gather Victim Host Information: Software ['reconnaissance'] T1592.003 Gather Victim Host Information: Firmware ['reconnaissance'] T1592.004 Gather Victim Host Information: Client Configurations ['reconnaissance'] T1593.001 Search Open Websites/Domains: Social Media ['reconnaissance'] T1593.002 Search Open Websites/Domains: Search Engines ['reconnaissance'] T1596.001 Search Open Technical Databases: DNS/Passive DNS ['reconnaissance'] T1596.002 Search Open Technical Databases: WHOIS ['reconnaissance'] T1596.003 Search Open Technical Databases: Digital Certificates ['reconnaissance'] T1596.004 Search Open Technical Databases: CDNs ['reconnaissance'] T1596.005 Search Open Technical Databases: Scan Databases ['reconnaissance'] T1597.001 Search Closed Sources: Threat Intel Vendors ['reconnaissance'] T1597.002 Search Closed Sources: Purchase Technical Data ['reconnaissance'] Total 80
distr = defaultdict(list)
count = 0
for t in worker1.t_dict.values():
if len(t.datasources) == 0:
count += 1
for tac in t.tactics:
distr[tac].append(t)
for tac in distr.keys():
print(f"\n{tac}: {len(distr[tac])}")
for t in distr[tac]:
print(f"{t.id} {t.name} {t.tactics}")
print(f"\nTotal {count}")
defense-evasion: 2 T1027.005 Obfuscated Files or Information: Indicator Removal from Tools ['defense-evasion'] T1211 Exploitation for Defense Evasion ['defense-evasion'] initial-access: 5 T1195 Supply Chain Compromise ['initial-access'] T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Tools ['initial-access'] T1195.002 Supply Chain Compromise: Compromise Software Supply Chain ['initial-access'] T1195.003 Supply Chain Compromise: Compromise Hardware Supply Chain ['initial-access'] T1200 Hardware Additions ['initial-access'] execution: 1 T1203 Exploitation for Client Execution ['execution'] credential-access: 1 T1212 Exploitation for Credential Access ['credential-access'] resource-development: 38 T1583 Acquire Infrastructure ['resource-development'] T1583.001 Acquire Infrastructure: Domains ['resource-development'] T1583.002 Acquire Infrastructure: DNS Server ['resource-development'] T1583.003 Acquire Infrastructure: Virtual Private Server ['resource-development'] T1583.004 Acquire Infrastructure: Server ['resource-development'] T1583.005 Acquire Infrastructure: Botnet ['resource-development'] T1583.006 Acquire Infrastructure: Web Services ['resource-development'] T1584 Compromise Infrastructure ['resource-development'] T1584.001 Compromise Infrastructure: Domains ['resource-development'] T1584.002 Compromise Infrastructure: DNS Server ['resource-development'] T1584.003 Compromise Infrastructure: Virtual Private Server ['resource-development'] T1584.004 Compromise Infrastructure: Server ['resource-development'] T1584.005 Compromise Infrastructure: Botnet ['resource-development'] T1584.006 Compromise Infrastructure: Web Services ['resource-development'] T1585 Establish Accounts ['resource-development'] T1585.001 Establish Accounts: Social Media Accounts ['resource-development'] T1585.002 Establish Accounts: Email Accounts ['resource-development'] T1586 Compromise Accounts ['resource-development'] T1586.001 Compromise Accounts: Social Media Accounts ['resource-development'] T1586.002 Compromise Accounts: Email Accounts ['resource-development'] T1587 Develop Capabilities ['resource-development'] T1587.001 Develop Capabilities: Malware ['resource-development'] T1587.002 Develop Capabilities: Code Signing Certificates ['resource-development'] T1587.003 Develop Capabilities: Digital Certificates ['resource-development'] T1587.004 Develop Capabilities: Exploits ['resource-development'] T1588 Obtain Capabilities ['resource-development'] T1588.001 Obtain Capabilities: Malware ['resource-development'] T1588.002 Obtain Capabilities: Tool ['resource-development'] T1588.003 Obtain Capabilities: Code Signing Certificates ['resource-development'] T1588.004 Obtain Capabilities: Digital Certificates ['resource-development'] T1588.005 Obtain Capabilities: Exploits ['resource-development'] T1588.006 Obtain Capabilities: Vulnerabilities ['resource-development'] T1608 Stage Capabilities ['resource-development'] T1608.001 Stage Capabilities: Upload Malware ['resource-development'] T1608.002 Stage Capabilities: Upload Tool ['resource-development'] T1608.003 Stage Capabilities: Install Digital Certificate ['resource-development'] T1608.004 Stage Capabilities: Drive-by Target ['resource-development'] T1608.005 Stage Capabilities: Link Target ['resource-development'] reconnaissance: 33 T1589 Gather Victim Identity Information ['reconnaissance'] T1589.001 Gather Victim Identity Information: Credentials ['reconnaissance'] T1589.002 Gather Victim Identity Information: Email Addresses ['reconnaissance'] T1589.003 Gather Victim Identity Information: Employee Names ['reconnaissance'] T1590 Gather Victim Network Information ['reconnaissance'] T1590.001 Gather Victim Network Information: Domain Properties ['reconnaissance'] T1590.002 Gather Victim Network Information: DNS ['reconnaissance'] T1590.003 Gather Victim Network Information: Network Trust Dependencies ['reconnaissance'] T1590.004 Gather Victim Network Information: Network Topology ['reconnaissance'] T1590.005 Gather Victim Network Information: IP Addresses ['reconnaissance'] T1590.006 Gather Victim Network Information: Network Security Appliances ['reconnaissance'] T1591 Gather Victim Org Information ['reconnaissance'] T1591.001 Gather Victim Org Information: Determine Physical Locations ['reconnaissance'] T1591.002 Gather Victim Org Information: Business Relationships ['reconnaissance'] T1591.003 Gather Victim Org Information: Identify Business Tempo ['reconnaissance'] T1591.004 Gather Victim Org Information: Identify Roles ['reconnaissance'] T1592 Gather Victim Host Information ['reconnaissance'] T1592.001 Gather Victim Host Information: Hardware ['reconnaissance'] T1592.002 Gather Victim Host Information: Software ['reconnaissance'] T1592.003 Gather Victim Host Information: Firmware ['reconnaissance'] T1592.004 Gather Victim Host Information: Client Configurations ['reconnaissance'] T1593 Search Open Websites/Domains ['reconnaissance'] T1593.001 Search Open Websites/Domains: Social Media ['reconnaissance'] T1593.002 Search Open Websites/Domains: Search Engines ['reconnaissance'] T1596 Search Open Technical Databases ['reconnaissance'] T1596.001 Search Open Technical Databases: DNS/Passive DNS ['reconnaissance'] T1596.002 Search Open Technical Databases: WHOIS ['reconnaissance'] T1596.003 Search Open Technical Databases: Digital Certificates ['reconnaissance'] T1596.004 Search Open Technical Databases: CDNs ['reconnaissance'] T1596.005 Search Open Technical Databases: Scan Databases ['reconnaissance'] T1597 Search Closed Sources ['reconnaissance'] T1597.001 Search Closed Sources: Threat Intel Vendors ['reconnaissance'] T1597.002 Search Closed Sources: Purchase Technical Data ['reconnaissance'] Total 80
vis.get_plot_scatter_density(worker1_merged_subt.ds_dict, worker1_merged_subt.t_dict, lines=True, text_for_ids=['T1078', 'T1068', 'T1014', 'T1203'], ds_rank=4, t_rank=1, levels=0) #'T1078', 'T1036.005'
ds_rank, t_rank = 4, 1
def print_t_of_t_ds(t):
ds = tobj.datasources
for ds in ds:
print(f"{ds.name} {ds.get_rank(ds_rank)}")
for t in sorted(ds.techniques, key=lambda x: x.get_rank(t_rank)):
print(f"\t{t.id}, {t.name}, {t.get_metric(3)}")
for t in ['T1078', 'T1068', 'T1014', 'T1203']: # 'T1036.005', 'T1078',
tobj = worker1_merged_subt.t_dict[t]
print(f"{t} {tobj.name} {tobj.get_rank(t_rank)} {tobj.get_metric(t_rank)} {tobj.get_metric(ds_rank-1)}")
print_t_of_t_ds(tobj)
print("\n\n")
T1078 Valid Accounts 16 39 176.19 Logon Session: Logon Session Creation 17 T1078, Valid Accounts, 176.19 T1021, Remote Services, 173.93 T1021.001, Remote Services: Remote Desktop Protocol, 107.62 T1021.002, Remote Services: SMB/Windows Admin Shares, 84.36 T1114, Email Collection, 63.52 T1114.002, Email Collection: Remote Email Collection, 41.89 T1550, Use Alternate Authentication Material, 46.89 T1078.002, Valid Accounts: Domain Accounts, 40.89 T1021.004, Remote Services: SSH, 36.68 T1078.003, Valid Accounts: Local Accounts, 37.68 T1550.002, Use Alternate Authentication Material: Pass the Hash, 36.47 T1213, Data from Information Repositories, 27.26 T1021.006, Remote Services: Windows Remote Management, 17.84 T1199, Trusted Relationship, 16.84 T1213.002, Data from Information Repositories: Sharepoint, 13.63 T1550.003, Use Alternate Authentication Material: Pass the Ticket, 15.63 T1556, Modify Authentication Process, 14.42 T1021.005, Remote Services: VNC, 11.42 T1606, Forge Web Credentials, 4.21 T1606.002, Forge Web Credentials: SAML Tokens, 4.21 T1606.001, Forge Web Credentials: Web Cookies, 4.21 T1556.001, Modify Authentication Process: Domain Controller Authentication, 5.21 T1078.004, Valid Accounts: Cloud Accounts, 4.21 T1538, Cloud Service Dashboard, 0.0 T1213.001, Data from Information Repositories: Confluence, 0.0 T1185, Man in the Browser, 9.0 T1556.003, Modify Authentication Process: Pluggable Authentication Modules, 2.0 T1563, Remote Service Session Hijacking, 1.0 T1563.002, Remote Service Session Hijacking: RDP Hijacking, 1.0 T1563.001, Remote Service Session Hijacking: SSH Hijacking, 0.0 T1078.001, Valid Accounts: Default Accounts, 1.0 User Account: User Account Authentication 19 T1078, Valid Accounts, 176.19 T1070, Indicator Removal on Host, 328.56 T1110, Brute Force, 84.36 T1552, Unsecured Credentials, 74.52 T1550, Use Alternate Authentication Material, 46.89 T1078.002, Valid Accounts: Domain Accounts, 40.89 T1078.003, Valid Accounts: Local Accounts, 37.68 T1550.002, Use Alternate Authentication Material: Pass the Hash, 36.47 T1110.003, Brute Force: Password Spraying, 28.26 T1110.002, Brute Force: Password Cracking, 17.84 T1550.003, Use Alternate Authentication Material: Pass the Ticket, 15.63 T1110.004, Brute Force: Credential Stuffing, 5.21 T1110.001, Brute Force: Password Guessing, 12.21 T1070.005, Indicator Removal on Host: Network Share Connection Removal, 7.21 T1078.004, Valid Accounts: Cloud Accounts, 4.21 T1538, Cloud Service Dashboard, 0.0 T1207, Rogue Domain Controller, 1.0 T1552.005, Unsecured Credentials: Cloud Instance Metadata API, 1.0 T1552.007, Unsecured Credentials: Container API, 0.0 T1078.001, Valid Accounts: Default Accounts, 1.0 T1068 Exploitation for Privilege Escalation 92 11 56.31 Driver: Driver Load 21 T1547, Boot or Logon Autostart Execution, 337.45 T1056, Input Capture, 194.62 T1056.001, Input Capture: Keylogging, 182.62 T1068, Exploitation for Privilege Escalation, 56.31 T1561, Disk Wipe, 20.84 T1561.002, Disk Wipe: Disk Structure Wipe, 19.84 T1111, Two-Factor Authentication Interception, 9.42 T1561.001, Disk Wipe: Disk Content Wipe, 7.21 T1547.008, Boot or Logon Autostart Execution: LSASS Driver, 2.0 T1547.012, Boot or Logon Autostart Execution: Print Processors, 1.0 T1014 Rootkit 197 4 34.84 Drive: Drive Modification 55 T1561, Disk Wipe, 20.84 T1561.002, Disk Wipe: Disk Structure Wipe, 19.84 T1542, Pre-OS Boot, 24.84 T1014, Rootkit, 34.84 T1542.003, Pre-OS Boot: Bootkit, 17.63 T1561.001, Disk Wipe: Disk Content Wipe, 7.21 Firmware: Firmware Modification 47 T1564, Hide Artifacts, 123.36 T1542, Pre-OS Boot, 24.84 T1014, Rootkit, 34.84 T1564.005, Hide Artifacts: Hidden File System, 11.42 T1542.002, Pre-OS Boot: Component Firmware, 4.21 T1495, Firmware Corruption, 1.0 T1542.004, Pre-OS Boot: ROMMONkit, 0.0 T1542.001, Pre-OS Boot: System Firmware, 3.0 T1542.005, Pre-OS Boot: TFTP Boot, 0.0 T1203 Exploitation for Client Execution 33 28 128.88
ti = []
my_range = list(range(0,10)) #(0..9)
my_range_cln = my_range[:3] + my_range[3+1:] # exclude fireeye (3)
#my_range_cln = my_range_cln[:2] + my_range_cln[2+1:] # exclude redcanary (2)
for i in (my_range):
ti.append(worker.get_rank_with_ti_db(worker1, i))
print(f"{i}: {ti[i]['full_name']}")
RedCanary = ti[5]
Rapid7 = ti[1]
FireEye = ti[6]
worker1_merged_subt.print_rank_comp2(FireEye['ct'], with_val=False, sort_type=3, compared_ranks=[[worker1_merged_subt.t_dict,"T_DICT2",[1,3]]], comp_rank=True, top=20, tablefmt='latex')
0: Cisco Talos - quarterly report incident response trends in summer 2020 1: Rapid7 2: Cisco Talos 3: PwC - Cyber Threats 2020 A Year in Retrospect 4: Cisco Talos*
WARNING:root:T1409 unknown, skipping
5: RedCanary - 2021 Threat Detection Report
6: FireEye Mandiant - M-Trends 2021
7: McAfee
8: Sophos
9: Cisco Talos**
\begin{tabular}{lllll}
\hline
ID & Name & R\_WEIGH & T\_DICT2: R\_GRP & T\_DICT2: R\_WEIGH \\
T1027 & Obfuscated Files or Information & 1 & 2 (1, -0.33) & 2 (1, -0.33) \\
T1059 & Command and Scripting Interpreter & 2 & 1 (-1, 0.33) & 1 (-1, 0.33) \\
T1059.001 & Command and Scripting Interpreter: PowerShell & 3 & 8 (5, -0.45) & 16 (13, -0.68) \\
T1569 & System Services & 4 & 98 (94, -0.92) & 83 (79, -0.91) \\
T1569.002 & System Services: Service Execution & 5 & 99 (94, -0.9) & 84 (79, -0.89) \\
T1021 & Remote Services & 6 & 24 (18, -0.6) & 36 (30, -0.71) \\
T1021.001 & Remote Services: Remote Desktop Protocol & 7 & 45 (38, -0.73) & 66 (59, -0.81) \\
T1070 & Indicator Removal on Host & 8 & 18 (10, -0.38) & 9 (1, -0.06) \\
T1105 & Ingress Tool Transfer & 9 & 7 (-2, 0.12) & 3 (-6, 0.5) \\
T1082 & System Information Discovery & 10 & 21 (11, -0.35) & 7 (-3, 0.18) \\
T1083 & File and Directory Discovery & 11 & 22 (11, -0.33) & 11 (0, 0.0) \\
T1190 & Exploit Public-Facing Application & 12 & 78 (66, -0.73) & 104 (92, -0.79) \\
T1588 & Obtain Capabilities & 13 & 128 (115, -0.82) & 155 (142, -0.85) \\
T1588.003 & Obtain Capabilities: Code Signing Certificates & 14 & 343 (329, -0.92) & 336 (322, -0.92) \\
T1553 & Subvert Trust Controls & 15 & 51 (36, -0.55) & 61 (46, -0.61) \\
T1553.002 & Subvert Trust Controls: Code Signing & 16 & 57 (41, -0.56) & 69 (53, -0.62) \\
T1070.004 & Indicator Removal on Host: File Deletion & 17 & 19 (2, -0.06) & 14 (-3, 0.1) \\
T1055 & Process Injection & 18 & 44 (26, -0.42) & 32 (14, -0.28) \\
T1573 & Encrypted Channel & 19 & 61 (42, -0.53) & 28 (9, -0.19) \\
T1573.002 & Encrypted Channel: Asymmetric Cryptography & 20 & 148 (128, -0.76) & 98 (78, -0.66) \\
RBO Total & & & 0.61 & 0.62 \\
RBO Top 20 & & & 0.37 & 0.44 \\
Kendall TAU Total & & & 0.41 & 0.42 \\
Kendall Top 20 & & & 0.37 & 0.26 \\
\hline
\end{tabular}
worker1.print_rank_comp2(FireEye['ct'], with_val=False, sort_type=3, compared_ranks=[[RedCanary['ct'],"RedCanary",[3]], [Rapid7['ct'],"Rapid7",[3]], [worker1_merged_subt.t_dict,"MSUBT",[3]]], comp_rank=True, top=20, tablefmt="latex")
List elements are not even, skipping tau ...
List elements are not even, skipping tau ...
\begin{tabular}{llllll}
\hline
ID & Name & R\_WEIGH & RedCanary: R\_WEIGH & Rapid7: R\_WEIGH & MSUBT: R\_WEIGH \\
T1027 & Obfuscated Files or Information & 1 & 13 (12, -0.86) & 18 (17, -0.89) & 2 (1, -0.33) \\
T1059 & Command and Scripting Interpreter & 2 & 1 (-1, 0.33) & 6 (4, -0.5) & 1 (-1, 0.33) \\
T1059.001 & Command and Scripting Interpreter: PowerShell & 3 & 8 (5, -0.45) & 8 (5, -0.45) & 16 (13, -0.68) \\
T1569 & System Services & 4 & 15 (11, -0.58) & & 83 (79, -0.91) \\
T1569.002 & System Services: Service Execution & 5 & 17 (12, -0.55) & & 84 (79, -0.89) \\
T1021 & Remote Services & 6 & & & 36 (30, -0.71) \\
T1021.001 & Remote Services: Remote Desktop Protocol & 7 & & & 66 (59, -0.81) \\
T1070 & Indicator Removal on Host & 8 & & & 9 (1, -0.06) \\
T1105 & Ingress Tool Transfer & 9 & 14 (5, -0.22) & & 3 (-6, 0.5) \\
T1082 & System Information Discovery & 10 & & 19 (9, -0.31) & 7 (-3, 0.18) \\
T1083 & File and Directory Discovery & 11 & & & 11 (0, 0.0) \\
T1190 & Exploit Public-Facing Application & 12 & & & 104 (92, -0.79) \\
T1588 & Obtain Capabilities & 13 & & & 155 (142, -0.85) \\
T1588.003 & Obtain Capabilities: Code Signing Certificates & 14 & & & 336 (322, -0.92) \\
T1553 & Subvert Trust Controls & 15 & & & 61 (46, -0.61) \\
T1553.002 & Subvert Trust Controls: Code Signing & 16 & & & 69 (53, -0.62) \\
T1070.004 & Indicator Removal on Host: File Deletion & 17 & & & 14 (-3, 0.1) \\
T1055 & Process Injection & 18 & 12 (-6, 0.2) & & 32 (14, -0.28) \\
T1573 & Encrypted Channel & 19 & & & 28 (9, -0.19) \\
T1573.002 & Encrypted Channel: Asymmetric Cryptography & 20 & & & 98 (78, -0.66) \\
RBO Total & & & 0.26 & 0.14 & 0.62 \\
RBO Top 20 & & & 0.26 & 0.13 & 0.44 \\
Kendall TAU Total & & & & & \\
Kendall Top 20 & & & & & \\
\hline
\end{tabular}
# get stats for all ti data, weighted value is only applied on 2,3,4 therefore ranking can be ignored; if a rank is given that just means that a technique is in the data set, but without ranking
worker1.print_rank_comp2(FireEye['ct'], with_val=False, sort_type=3, compared_ranks=[[ti[i]['ct'],i,[3]] for i in my_range_cln], comp_rank=False, top=20)
List elements are not even, skipping tau ... List elements are not even, skipping tau ... ID Name R_WEIGH 0: R_WEIGH 1: R_WEIGH 2: R_WEIGH 4: R_WEIGH 5: R_WEIGH 6: R_WEIGH 7: R_WEIGH 8: R_WEIGH 9: R_WEIGH T1027 Obfuscated Files or Information 1 18 13 1 22 9 T1059 Command and Scripting Interpreter 2 6 1 2 6 6 T1059.001 Command and Scripting Interpreter: PowerShell 3 1 8 2 8 3 2 T1569 System Services 4 15 4 45 T1569.002 System Services: Service Execution 5 17 5 T1021 Remote Services 6 6 27 T1021.001 Remote Services: Remote Desktop Protocol 7 6 10 9 7 34 10 T1070 Indicator Removal on Host 8 4 8 7 8 22 T1105 Ingress Tool Transfer 9 14 9 16 23 T1082 System Information Discovery 10 19 11 10 32 41 T1083 File and Directory Discovery 11 11 14 T1190 Exploit Public-Facing Application 12 12 11 18 6 T1588 Obtain Capabilities 13 13 T1588.003 Obtain Capabilities: Code Signing Certificates 14 14 T1553 Subvert Trust Controls 15 15 T1553.002 Subvert Trust Controls: Code Signing 16 16 T1070.004 Indicator Removal on Host: File Deletion 17 17 T1055 Process Injection 18 12 18 25 T1573 Encrypted Channel 19 19 T1573.002 Encrypted Channel: Asymmetric Cryptography 20 20 RBO Total 0.18 0.14 0.21 0.07 0.26 1.0 0.22 0.19 0.18 RBO Top 20 0.18 0.13 0.21 0.07 0.26 1.0 0.13 0.07 0.18 Kendall TAU Total Kendall Top 20
## only 2 and 4 should be different as they have some kind of weighted value; ranking is not applied on sort_type 0 on any TI-data, therfore RBO/TAU differ from the list above
worker1.print_rank_comp2(FireEye['ct'], with_val=False, sort_type=3, compared_ranks=[[ti[i]['ct'],i,[0]] for i in my_range_cln], comp_rank=False, top=20)
List elements are not even, skipping tau ... List elements are not even, skipping tau ... ID Name R_WEIGH 0: R_TOT 1: R_TOT 2: R_TOT 4: R_TOT 5: R_TOT 6: R_TOT 7: R_TOT 8: R_TOT 9: R_TOT T1027 Obfuscated Files or Information 1 11 11 127 22 9 T1059 Command and Scripting Interpreter 2 4 1 35 6 6 T1059.001 Command and Scripting Interpreter: PowerShell 3 1 5 2 2 37 2 T1569 System Services 4 18 189 45 T1569.002 System Services: Service Execution 5 19 190 T1021 Remote Services 6 155 27 T1021.001 Remote Services: Remote Desktop Protocol 7 6 10 9 157 34 10 T1070 Indicator Removal on Host 8 4 8 7 97 22 T1105 Ingress Tool Transfer 9 6 103 16 23 T1082 System Information Discovery 10 20 11 184 32 41 T1083 File and Directory Discovery 11 83 14 T1190 Exploit Public-Facing Application 12 78 11 18 6 T1588 Obtain Capabilities 13 133 T1588.003 Obtain Capabilities: Code Signing Certificates 14 134 T1553 Subvert Trust Controls 15 180 T1553.002 Subvert Trust Controls: Code Signing 16 181 T1070.004 Indicator Removal on Host: File Deletion 17 99 T1055 Process Injection 18 12 144 25 T1573 Encrypted Channel 19 70 T1573.002 Encrypted Channel: Asymmetric Cryptography 20 71 RBO Total 0.18 0.2 0.21 0.07 0.33 0.51 0.22 0.19 0.18 RBO Top 20 0.18 0.2 0.21 0.07 0.33 0.0 0.13 0.07 0.18 Kendall TAU Total Kendall Top 20
worker1.print_rank_comp2(worker1_merged_subt.t_dict, with_val=False, sort_type=3, compared_ranks=[[FireEye['ct'],"FireEye",[3]],[RedCanary['ct'],"RedCanary",[3]]], comp_rank=True, top=20, tablefmt="latex")
List elements are not even, skipping tau ...
List elements are not even, skipping tau ...
\begin{tabular}{lllll}
\hline
ID & Name & R\_WEIGH & FireEye: R\_WEIGH & RedCanary: R\_WEIGH \\
T1059 & Command and Scripting Interpreter & 1 & 2 (1, -0.33) & 1 (0, 0.0) \\
T1027 & Obfuscated Files or Information & 2 & 1 (-1, 0.33) & 13 (11, -0.73) \\
T1105 & Ingress Tool Transfer & 3 & 9 (6, -0.5) & 14 (11, -0.65) \\
T1071 & Application Layer Protocol & 4 & 37 (33, -0.8) & \\
T1059.003 & Command and Scripting Interpreter: Windows Command Shell & 5 & 23 (18, -0.64) & 9 (4, -0.29) \\
T1071.001 & Application Layer Protocol: Web Protocols & 6 & 46 (40, -0.77) & \\
T1082 & System Information Discovery & 7 & 10 (3, -0.18) & \\
T1547 & Boot or Logon Autostart Execution & 8 & 70 (62, -0.79) & \\
T1070 & Indicator Removal on Host & 9 & 8 (-1, 0.06) & \\
T1547.001 & Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder & 10 & 71 (61, -0.75) & \\
T1083 & File and Directory Discovery & 11 & 11 (0, 0.0) & \\
T1566 & Phishing & 12 & 25 (13, -0.35) & \\
T1204 & User Execution & 13 & 36 (23, -0.47) & \\
T1070.004 & Indicator Removal on Host: File Deletion & 14 & 17 (3, -0.1) & \\
T1036 & Masquerading & 15 & 108 (93, -0.76) & 16 (1, -0.03) \\
T1059.001 & Command and Scripting Interpreter: PowerShell & 16 & 3 (-13, 0.68) & 8 (-8, 0.33) \\
T1204.002 & User Execution: Malicious File & 17 & 77 (60, -0.64) & \\
T1057 & Process Discovery & 18 & 32 (14, -0.28) & \\
T1016 & System Network Configuration Discovery & 19 & 29 (10, -0.21) & \\
T1566.001 & Phishing: Spearphishing Attachment & 20 & 48 (28, -0.41) & \\
RBO Total & & & 0.62 & 0.3 \\
RBO Top 20 & & & 0.44 & 0.3 \\
Kendall TAU Total & & & & \\
Kendall Top 20 & & & & \\
\hline
\end{tabular}
worker1.print_rank_comp2(worker1_merged_subt.t_dict, with_val=False, sort_type=3, compared_ranks=[[ti[i]['ct'],i,[0]] for i in my_range], comp_rank=False, top=20)
List elements are not even, skipping tau ... List elements are not even, skipping tau ... ID Name R_WEIGH 0: R_TOT 1: R_TOT 2: R_TOT 3: R_TOT 4: R_TOT 5: R_TOT 6: R_TOT 7: R_TOT 8: R_TOT 9: R_TOT T1059 Command and Scripting Interpreter 1 4 3 1 35 6 6 T1027 Obfuscated Files or Information 2 11 16 11 127 22 9 T1105 Ingress Tool Transfer 3 6 103 16 23 T1071 Application Layer Protocol 4 1 14 T1059.003 Command and Scripting Interpreter: Windows Command Shell 5 3 40 T1071.001 Application Layer Protocol: Web Protocols 6 18 T1082 System Information Discovery 7 20 11 21 184 32 41 T1547 Boot or Logon Autostart Execution 8 25 T1070 Indicator Removal on Host 9 4 8 7 97 22 T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 10 2 2 26 2 4 T1083 File and Directory Discovery 11 10 83 14 T1566 Phishing 12 17 137 23 31 T1204 User Execution 13 21 23 203 34 51 T1070.004 Indicator Removal on Host: File Deletion 14 12 99 T1036 Masquerading 15 10 15 7 108 19 26 T1059.001 Command and Scripting Interpreter: PowerShell 16 1 5 2 2 37 2 T1204.002 User Execution: Malicious File 17 11 204 T1057 Process Discovery 18 18 143 24 T1016 System Network Configuration Discovery 19 185 42 T1566.001 Phishing: Spearphishing Attachment 20 5 138 RBO Total 0.0 0.21 0.05 0.36 0.03 0.39 0.39 0.26 0.2 0.03 RBO Top 20 0.0 0.19 0.05 0.34 0.03 0.39 0.03 0.14 0.1 0.03 Kendall TAU Total Kendall Top 20
worker1.print_rank_comp2(FireEye['cd'], with_val=False, sort_type=4, compared_ranks=[[worker1_merged_subt.ds_dict,"MSUBT",[4]]], comp_rank=True, top=20, tablefmt="latex")
\begin{tabular}{lll}
\hline
Name & R\_WEIGH & MSUBT: R\_WEIGH \\
Command: Command Execution & 1 & 1 (0, 0.0) \\
Process: Process Creation & 2 & 2 (0, 0.0) \\
Process: OS API Execution & 3 & 3 (0, 0.0) \\
Network Traffic: Network Traffic Content & 4 & 4 (0, 0.0) \\
File: File Modification & 5 & 7 (2, -0.17) \\
Network Traffic: Network Traffic Flow & 6 & 6 (0, 0.0) \\
Windows Registry: Windows Registry Key Modification & 7 & 9 (2, -0.12) \\
File: File Creation & 8 & 5 (-3, 0.23) \\
Module: Module Load & 9 & 10 (1, -0.05) \\
File: File Metadata & 10 & 12 (2, -0.09) \\
Script: Script Execution & 11 & 11 (0, 0.0) \\
Network Traffic: Network Connection Creation & 12 & 8 (-4, 0.2) \\
Application Log: Application Log Content & 13 & 14 (1, -0.04) \\
Logon Session: Logon Session Creation & 14 & 17 (3, -0.1) \\
Service: Service Creation & 15 & 16 (1, -0.03) \\
File: File Content & 16 & 23 (7, -0.18) \\
Windows Registry: Windows Registry Key Creation & 17 & 15 (-2, 0.06) \\
Windows Registry: Windows Registry Key Deletion & 18 & 25 (7, -0.16) \\
File: File Deletion & 19 & 24 (5, -0.12) \\
User Account: User Account Authentication & 20 & 19 (-1, 0.03) \\
RBO Total & & 0.91 \\
RBO Top 20 & & 0.91 \\
Kendall TAU Total & & 0.75 \\
Kendall Top 20 & & 0.82 \\
\hline
\end{tabular}
#from collections import Counter
#rc_ds = Counter()
#for t in RedCanary['ct'].values():
# ds = [ds.name for ds in t.datasources]
# if any(x in ds for x in RedCanary_path['ds'].keys()):
# print(f"skipping {t.id}")
# continue
# rc_ds.update(ds)
# print(t.id)
#print(rc_ds) #remaining
RedCanary_path = worker1.get_shortest_path_for_detection(ref_ds_dict=RedCanary['cd'], ref_t_dict=RedCanary['ct'])
FireEye_path = worker1.get_shortest_path_for_detection(ref_ds_dict=FireEye['cd'], ref_t_dict=FireEye['ct'])
worker1_merged_subt_path = worker1.get_shortest_path_for_detection(ref_ds_dict=worker1_merged_subt.ds_dict, ref_t_dict=worker1_merged_subt.t_dict)
worker1.print_rank_comp_path(worker1_merged_subt_path, [['RedCanary', RedCanary_path], ['FireEye', FireEye_path]], top=100)
DS Name Rank RedCanary FireEye Command: Command Execution 1 1 (0, 0.0) 1 (0, 0.0) Network Traffic: Network Traffic Content 2 0 (-2, 1.0) 2 (0, 0.0) Process: Process Creation 3 0 (-3, 1.0) 6 (3, -0.33) File: File Metadata 4 2 (-2, 0.33) 3 (-1, 0.14) User Account: User Account Authentication 5 0 (-5, 1.0) 0 (-5, 1.0) Process: OS API Execution 6 0 (-6, 1.0) 7 (1, -0.08) Network Traffic: Network Traffic Flow 7 0 (-7, 1.0) 0 (-7, 1.0) File: File Creation 8 3 (-5, 0.45) 8 (0, 0.0) Application Log: Application Log Content 9 0 (-9, 1.0) 5 (-4, 0.29) Driver: Driver Load 10 0 (-10, 1.0) 15 (5, -0.2) Drive: Drive Modification 11 0 (-11, 1.0) 14 (3, -0.12) Active Directory: Active Directory Credential Request 12 0 (-12, 1.0) 9 (-3, 0.14) File: File Content 13 0 (-13, 1.0) 17 (4, -0.13) Logon Session: Logon Session Creation 14 0 (-14, 1.0) 4 (-10, 0.56) User Account: User Account Modification 15 0 (-15, 1.0) 0 (-15, 1.0) Firmware: Firmware Modification 16 0 (-16, 1.0) 0 (-16, 1.0) File: File Access 17 0 (-17, 1.0) 16 (-1, 0.03) Drive: Drive Access 18 0 (-18, 1.0) 0 (-18, 1.0) Cloud Storage: Cloud Storage Access 19 0 (-19, 1.0) 12 (-7, 0.23) File: File Modification 20 0 (-20, 1.0) 0 (-20, 1.0) Logon Session: Logon Session Metadata 21 0 (-21, 1.0) 0 (-21, 1.0) Instance: Instance Creation 22 0 (-22, 1.0) 10 (-12, 0.38) Snapshot: Snapshot Creation 23 0 (-23, 1.0) 0 (-23, 1.0) Cloud Service: Cloud Service Disable 24 0 (-24, 1.0) 0 (-24, 1.0) Cloud Service: Cloud Service Enumeration 25 0 (-25, 1.0) 0 (-25, 1.0) Cloud Storage: Cloud Storage Enumeration 26 0 (-26, 1.0) 13 (-13, 0.33) Firewall: Firewall Disable 27 0 (-27, 1.0) 18 (-9, 0.2) Image: Image Creation 28 0 (-28, 1.0) 0 (-28, 1.0) Instance: Instance Deletion 29 0 (-29, 1.0) 19 (-10, 0.21) Instance: Instance Modification 30 0 (-30, 1.0) 0 (-30, 1.0) User Account: User Account Creation 31 0 (-31, 1.0) 0 (-31, 1.0) PATH LENGTH 31 3 20 PATH MISSING 0 0 0 TOTAL TAU -0.33 -0.04 TOTAL RBO 0.61 0.73 TOP 100 TAU -0.33 -0.04 TOP 100 RBO 0.61 0.73
print()
#excludes=['Command: Command Execution', 'Process: Process Creation']
sort_t=3 #W
sort_ds=4 #W
excludes=[]
sp=worker1.get_shortest_path_for_detection(sort_type_ds=sort_ds, ref_ds_dict=FireEye['cd'], ref_t_dict=worker1_merged_subt.t_dict, excluded_ds=excludes)
dsstr=""
length=0
detectable_t = worker1_merged_subt.get_detectable_techniques(worker1_merged_subt.t_dict)
total_detectable_t = len(detectable_t)
total_detectable_tv = round(sum([worker1_merged_subt.t_dict[t].get_metric(sort_t) for t in detectable_t]),2)
total_t, total_tv, ntot_t_p, ntot_tv_p = 0, 0, 0, 0
t_notation = "$\sum T_{TOT}$"
tv_notation = "$\sum E_{W}$"
for ds in sp['ds'].values():
this_t = len(ds.techniques_in_detection)
this_tv = ds.get_metric(sort_ds)
total_t += this_t
total_tv += this_tv
this_t_p = calc_perc(this_t, total_detectable_t)
ntot_t_p += this_t_p
this_tv_p = calc_perc(this_tv, total_detectable_tv)
ntot_tv_p += this_tv_p
#dsstr=f"{dsstr} => {ds}"
#dsstr=f"{dsstr} => {ds}"
# $\sum T_{TOT}$
#print(f"\t\\item {ds.name}, {t_notation} {this_t} ({round(this_t_p,2)}/{math.floor((ntot_t_p)*10)/10}%), {tv_notation} {this_tv} ({round(this_tv_p,2)}/{math.floor(ntot_tv_p*10)/10}%)".replace('%','\%'))
print(f"\t\\item {ds.name}, {tv_notation} {this_tv} ({round(this_tv_p,2)}% / {round(ntot_tv_p,2)}%), {t_notation} {this_t} ({round(this_t_p,2)}% / {round(ntot_t_p,2)}%)".replace('%','\%'))
length +=1
#print(dsstr)
print(length)
print(total_detectable_t, total_t)
print(total_detectable_tv, total_tv)
print(f"missing in detection {len(sp['missing'])}")
\item Command: Command Execution, $\sum E_{W}$ 11699.11 (53.9\% / 53.9\%), $\sum T_{TOT}$ 112 (23.73\% / 23.73\%)
\item Network Traffic: Network Traffic Content, $\sum E_{W}$ 3476.29 (16.02\% / 69.92\%), $\sum T_{TOT}$ 34 (7.2\% / 30.93\%)
\item Process: Process Creation, $\sum E_{W}$ 1006.6 (4.64\% / 74.56\%), $\sum T_{TOT}$ 10 (2.12\% / 33.05\%)
\item File: File Metadata, $\sum E_{W}$ 703.21 (3.24\% / 77.8\%), $\sum T_{TOT}$ 7 (1.48\% / 34.53\%)
\item User Account: User Account Authentication, $\sum E_{W}$ 400.01 (1.84\% / 79.64\%), $\sum T_{TOT}$ 8 (1.69\% / 36.23\%)
\item Process: OS API Execution, $\sum E_{W}$ 340.19 (1.57\% / 81.21\%), $\sum T_{TOT}$ 5 (1.06\% / 37.29\%)
\item Application Log: Application Log Content, $\sum E_{W}$ 141.72 (0.65\% / 81.86\%), $\sum T_{TOT}$ 5 (1.06\% / 38.35\%)
\item File: File Creation, $\sum E_{W}$ 67.1 (0.31\% / 82.17\%), $\sum T_{TOT}$ 3 (0.64\% / 38.98\%)
\item Driver: Driver Load, $\sum E_{W}$ 56.31 (0.26\% / 82.43\%), $\sum T_{TOT}$ 1 (0.21\% / 39.19\%)
\item Active Directory: Active Directory Credential Request, $\sum E_{W}$ 36.47 (0.17\% / 82.6\%), $\sum T_{TOT}$ 2 (0.42\% / 39.62\%)
\item File: File Content, $\sum E_{W}$ 33.05 (0.15\% / 82.75\%), $\sum T_{TOT}$ 1 (0.21\% / 39.83\%)
\item Network Traffic: Network Connection Creation, $\sum E_{W}$ 22.42 (0.1\% / 82.85\%), $\sum T_{TOT}$ 1 (0.21\% / 40.04\%)
\item Drive: Drive Modification, $\sum E_{W}$ 17.63 (0.08\% / 82.93\%), $\sum T_{TOT}$ 1 (0.21\% / 40.25\%)
\item File: File Access, $\sum E_{W}$ 8.21 (0.04\% / 82.97\%), $\sum T_{TOT}$ 1 (0.21\% / 40.47\%)
\item Cloud Storage: Cloud Storage Access, $\sum E_{W}$ 4.21 (0.02\% / 82.99\%), $\sum T_{TOT}$ 1 (0.21\% / 40.68\%)
\item Active Directory: Active Directory Object Modification, $\sum E_{W}$ 2.0 (0.01\% / 83.0\%), $\sum T_{TOT}$ 1 (0.21\% / 40.89\%)
\item Instance: Instance Creation, $\sum E_{W}$ 0.0 (0.0\% / 83.0\%), $\sum T_{TOT}$ 2 (0.42\% / 41.31\%)
\item Cloud Storage: Cloud Storage Enumeration, $\sum E_{W}$ 0.0 (0.0\% / 83.0\%), $\sum T_{TOT}$ 1 (0.21\% / 41.53\%)
\item Firewall: Firewall Disable, $\sum E_{W}$ 0.0 (0.0\% / 83.0\%), $\sum T_{TOT}$ 1 (0.21\% / 41.74\%)
\item Instance: Instance Deletion, $\sum E_{W}$ 0.0 (0.0\% / 83.0\%), $\sum T_{TOT}$ 1 (0.21\% / 41.95\%)
20
472 198
21704.35 18014.53
missing in detection 274
print()
#excludes=['Command: Command Execution', 'Process: Process Creation']
sort_t=3 #W
sort_ds=4 #W
excludes=[]
sp=worker1_merged_subt.get_shortest_path_for_detection(sort_type_ds=sort_ds, ref_ds_dict=worker1_merged_subt.ds_dict, ref_t_dict=worker1_merged_subt.t_dict, excluded_ds=excludes)
dsstr=""
length=0
detectable_t = worker1_merged_subt.get_detectable_techniques(worker1_merged_subt.t_dict)
total_detectable_t = len(detectable_t)
total_detectable_tv = round(sum([worker1_merged_subt.t_dict[t].get_metric(sort_t) for t in detectable_t]),2)
total_t, total_tv, ntot_t_p, ntot_tv_p = 0, 0, 0, 0
t_notation = "$\sum T_{TOT}$"
tv_notation = "$\sum E_{W}$"
counter=0
def calc_perc(part, whole):
percentage = 100 * float(part)/float(whole)
return percentage
for ds in sp['ds'].values():
counter+=1
this_t = len(ds.techniques_in_detection)
this_tv = ds.get_metric(sort_ds)
total_t += this_t
total_tv += this_tv
this_t_p = calc_perc(this_t, total_detectable_t)
ntot_t_p += this_t_p
this_tv_p = calc_perc(this_tv, total_detectable_tv)
ntot_tv_p += this_tv_p
#dsstr=f"{dsstr} => {ds}"
#dsstr=f"{dsstr} => {ds}"
# $\sum T_{TOT}$
#print(f"\t\\item {ds.name}, {t_notation} {this_t} ({round(this_t_p,2)}/{math.floor((ntot_t_p)*10)/10}%), {tv_notation} {this_tv} ({round(this_tv_p,2)}/{math.floor(ntot_tv_p*10)/10}%)".replace('%','\%'))
#print(f"\t\\item {ds.name}, {tv_notation} {this_tv} ({round(this_tv_p,2)}% / {round(ntot_tv_p,2)}%), {t_notation} {this_t} ({round(this_t_p,2)}% / {round(ntot_t_p,2)}%)".replace('%','\%'))
print(f"{ds.name} {round(ntot_t_p,2)}%")
length +=1
#print(dsstr)
print(length)
print(total_detectable_t, total_t)
print(total_detectable_tv, total_tv)
print(f"missing in detection {len(sp['missing'])}")
Command: Command Execution 51.27% Network Traffic: Network Traffic Content 66.31% Process: Process Creation 71.82% File: File Metadata 74.58% User Account: User Account Authentication 77.75% Process: OS API Execution 81.99% Network Traffic: Network Traffic Flow 84.96% File: File Creation 86.86% Application Log: Application Log Content 89.19% Driver: Driver Load 89.41% Drive: Drive Modification 89.83% Active Directory: Active Directory Credential Request 90.68% File: File Content 91.1% Logon Session: Logon Session Creation 92.16% User Account: User Account Modification 93.22% Firmware: Firmware Modification 94.07% File: File Access 94.28% Drive: Drive Access 94.49% Cloud Storage: Cloud Storage Access 94.7% File: File Modification 97.03% Logon Session: Logon Session Metadata 97.25% Instance: Instance Creation 97.88% Snapshot: Snapshot Creation 98.31% Cloud Service: Cloud Service Disable 98.52% Cloud Service: Cloud Service Enumeration 98.73% Cloud Storage: Cloud Storage Enumeration 98.94% Firewall: Firewall Disable 99.15% Image: Image Creation 99.36% Instance: Instance Deletion 99.58% Instance: Instance Modification 99.79% User Account: User Account Creation 100.0% 31 472 472 21704.35 21704.350000000002 missing in detection 0